Class: Checkpoint::Query::RoleGranted

Inherits:

Object

Object
Checkpoint::Query::RoleGranted

show all

Defined in:: lib/checkpoint/query/role_granted.rb

Overview

RoleGranted is a predicate query that captures the user, role, and target, and checks if the authority recognizes the user as having the role.

TODO: Extract-To-Manual There are two primary approaches to handling which actions are permitted for which roles:

Encoding the details directly in policy objects and checking for the appropriate roles within a given rule. This has the effect of placing the literal values within the body of a rule, making it quite easy to examine. Tests can validate system behavior at development time because it is static.
Implementing a Credential::Resolver that maps backward from actions to named permissions and roles that would allow them. The policy rules would only authorize actions, leaving the mapping outside to accommodate configuration or runtime modification. This has the effect of being more flexible, while making the specifics of a rule more difficult to examine. Tests can only validate system behavior for a particular configuration – whether an instance of the application is configured in a correct or expected way is not testable at development time.

Instance Attribute Summary collapse

#role ⇒ Object readonly

Returns the value of attribute role.
#target ⇒ Object readonly

Returns the value of attribute target.
#user ⇒ Object readonly

Returns the value of attribute user.

Instance Method Summary collapse

#initialize(user, role, target = Resource.all, authority: Authority::RejectAll.new) ⇒ RoleGranted constructor

A new instance of RoleGranted.
#true? ⇒ Boolean

Constructor Details

#initialize(user, role, target = Resource.all, authority: Authority::RejectAll.new) ⇒ `RoleGranted`

Returns a new instance of RoleGranted.

Parameters:

user (<application actor>) —

the acting user/account
role (String|Symbol) —

the role to be checked; this will be forced to a symbol
target (<application entity>) (defaults to: Resource.all) —

the object or application resource for which the user may have a role; defaults to Resource.all to ease checking for zone-/system-wide roles.
authority (Checkpoint::Authority) (defaults to: Authority::RejectAll.new) —

the authority to ask about this role-grant

# File 'lib/checkpoint/query/role_granted.rb', line 39

def initialize(user, role, target = Resource.all, authority: Authority::RejectAll.new)
  @user      = user
  @role      = role.to_sym
  @target    = target
  @authority = authority
end

Instance Attribute Details

#role ⇒ `Object` (readonly)

Returns the value of attribute role.



29
30
31

# File 'lib/checkpoint/query/role_granted.rb', line 29

def role
  @role
end

#target ⇒ `Object` (readonly)

Returns the value of attribute target.



29
30
31

# File 'lib/checkpoint/query/role_granted.rb', line 29

def target
  @target
end

#user ⇒ `Object` (readonly)

Returns the value of attribute user.



29
30
31

# File 'lib/checkpoint/query/role_granted.rb', line 29

def user
  @user
end

Instance Method Details

#true? ⇒ `Boolean`

Returns:

(Boolean)



46
47
48

# File 'lib/checkpoint/query/role_granted.rb', line 46

def true?
  authority.permits?(user, Credential::Role.new(role), target)
end