Class: Can4::Ability

Inherits:

Object

• Object
• Can4::Ability

Defined in:

lib/can4/ability.rb

Overview

Ability class for resources.

To define an ability model for your resource, define an ability class in a location of your choosing, and define the actions available to the resource on construction.

Examples:

class Ability < Can4::Ability
  def initialize(user)
    # Handle unauthenticated users.
    user ||= User.new

    if user.admin?
      # Allow admins to perform any action.
      allow_anything!
    else
      # Will always return true for can?(:read, @comment).
      can :read, Comment

      # Will only return true for can?(:read, @private_message)
      # if the user is allowed to read the private message.
      can :read, PrivateMessage do |msg|
        msg.user_id == user.id
      end
    end
  end
end

Instance Method Summary

• #allow_anything! ⇒ Object

  Allows the object to perform any action on any subject.

• #authorize!(action, subject, *args) ⇒ Object

  Checks whether this resource has authorization to perform an action on a particular subject.

• #can(action, subject, &block) ⇒ Object

  Adds an access-granting rule.

• #can?(action, subject, *args) ⇒ Boolean

  Checks whether the object can perform an action on a subject.

• #cannot?(*args) ⇒ Boolean

  Inverse of #can?.

Instance Method Details

#allow_anything! ⇒ Object

Allows the object to perform any action on any subject. This overrides all #cannot rules.

# File 'lib/can4/ability.rb', line 63

def allow_anything!
  instance_eval do
    def can?(*)
      true
    end

    def cannot?(*)
      false
    end
  end
end

#authorize!(action, subject, *args) ⇒ Object

Checks whether this resource has authorization to perform an action on a particular subject. Raises Can4::AccessDenied if it doesn’t.

Parameters:

• action (Symbol) —

  The intended action.

• subject (Object) —

  The subject of the action.

Raises:

• (AccessDenied) —

  if the object does not have permission.

# File 'lib/can4/ability.rb', line 81

def authorize!(action, subject, *args)
  raise AccessDenied if cannot?(action, subject, *args)
end

#can(action, subject, &block) ⇒ Object

Adds an access-granting rule.

Parameters:

• action (Symbol) —

  The action, represented as a symbol.

• subject (Object) —

  The subject.

• block (Proc) —

  An optional Proc to install for matching.

# File 'lib/can4/ability.rb', line 57

def can(action, subject, &block)
  rule_for(subject).add_grant(action, block)
end

#can?(action, subject) ⇒ Boolean #can?(action, subject, *args) ⇒ Boolean

Checks whether the object can perform an action on a subject.

Overloads:

• #can?(action, subject) ⇒ Boolean

  Parameters:

  • action (Symbol) —

    The action, represented as a symbol.

  • subject (Object) —

    The subject.

• #can?(action, subject, *args) ⇒ Boolean

  Parameters:

  • action (Symbol) —

    The action, represented as a symbol.

  • subject (Object) —

    The subject.

  • args (Object) —

    Splat parameters to an installed block.

Returns:

• (Boolean) —

  True or false.

# File 'lib/can4/ability.rb', line 41

def can?(action, subject, *args)
  lookup_rule(subject).authorized?(action, subject, args)
end

#cannot?(*args) ⇒ Boolean

Inverse of #can?.

Returns:

• (Boolean)

See Also:

• #can?

# File 'lib/can4/ability.rb', line 48

def cannot?(*args)
  !can?(*args)
end