Class: Ixtlan::Guard::Guard
- Inherits:
-
Object
- Object
- Ixtlan::Guard::Guard
- Defined in:
- lib/ixtlan/guard/guard.rb
Instance Attribute Summary collapse
-
#superuser ⇒ Object
readonly
Returns the value of attribute superuser.
Instance Method Summary collapse
- #allowed?(resource, action, groups, &block) ⇒ Boolean
- #allowed_groups(resource_name, action, current_group_names) ⇒ Object
- #block_groups(groups) ⇒ Object
- #blocked_groups ⇒ Object
- #check(resource_name, action, current_groups, &block) ⇒ Object
-
#initialize(options = {}) ⇒ Guard
constructor
A new instance of Guard.
- #logger ⇒ Object
- #permissions(current_groups, &block) ⇒ Object
- #superuser_name ⇒ Object
Constructor Details
Instance Attribute Details
#superuser ⇒ Object (readonly)
Returns the value of attribute superuser.
7 8 9 |
# File 'lib/ixtlan/guard/guard.rb', line 7 def superuser @superuser end |
Instance Method Details
#allowed?(resource, action, groups, &block) ⇒ Boolean
96 97 98 |
# File 'lib/ixtlan/guard/guard.rb', line 96 def allowed?(resource, action, groups, &block) check(resource, action, groups, &block) != nil end |
#allowed_groups(resource_name, action, current_group_names) ⇒ Object
40 41 42 43 44 45 46 47 48 49 50 51 |
# File 'lib/ixtlan/guard/guard.rb', line 40 def allowed_groups(resource_name, action, current_group_names) allowed = @config.allowed_groups(resource_name, action) allowed = allowed - blocked_groups + @superuser if allowed.member?('*') # keep superuser in current_groups if in there current_group_names - (blocked_groups - @superuser) else allowed & current_group_names end end |
#block_groups(groups) ⇒ Object
20 21 22 23 24 |
# File 'lib/ixtlan/guard/guard.rb', line 20 def block_groups(groups) @blocked_groups = (groups || []).collect { |g| g.to_s} @blocked_groups.delete(@superuser) @blocked_groups end |
#blocked_groups ⇒ Object
26 27 28 |
# File 'lib/ixtlan/guard/guard.rb', line 26 def blocked_groups @blocked_groups ||= [] end |
#check(resource_name, action, current_groups, &block) ⇒ Object
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'lib/ixtlan/guard/guard.rb', line 69 def check(resource_name, action, current_groups, &block) action = action.to_s group_map = group_map(current_groups) allowed_group_names = allowed_groups(resource_name, action, group_map.keys) if allowed_group_names.size > 0 groups = allowed_group_names.collect { |name| group_map[name] } # call block to filter groups unless we are superuser if block && !allowed_group_names.member?(superuser_name) groups = block.call(groups) end logger.debug { "guard #{resource_name}##{action}: #{groups.size > 0}" } # nil means 'access denied', i.e. there are no allowed groups groups if groups.size > 0 else unless @config.has_guard?(resource_name) raise ::Ixtlan::Guard::GuardException.new("no guard config for '#{resource_name}'") else logger.debug { "guard #{resource_name}##{action}: #{allowed_group_names.size > 0}" } # nil means 'access denied', i.e. there are no allowed groups nil end end end |
#logger ⇒ Object
30 31 32 33 34 35 36 37 38 |
# File 'lib/ixtlan/guard/guard.rb', line 30 def logger @logger ||= if defined?(Slf4r::LoggerFactory) Slf4r::LoggerFactory.new(Ixtlan::Guard) else require 'logger' Logger.new(STDOUT) end end |
#permissions(current_groups, &block) ⇒ Object
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
# File 'lib/ixtlan/guard/guard.rb', line 100 def (current_groups, &block) group_map = group_map(current_groups) perms = [] m = @config.map_of_all m.each do |resource, actions| nodes = [] perm = Node.new(:permission) perm[:resource] = resource perm[:actions] = nodes # setup default_groups default_groups = actions.delete('defaults') || [] default_groups = group_map.keys & (default_groups + @superuser) unless default_groups.member?('*') deny = if actions.size == 0 # no actions # deny = false: !default_groups.member?('*') # deny = true: default_groups.member?('*') || current_group_names.member?(@superuser[0]) default_groups.member?('*') || group_map.keys.member?(@superuser[0]) || !group_map.keys.detect {|g| default_groups.member? g }.nil? else # actions # deny = false : default_groups == [] # deny = true : default_groups.member?('*') default_groups.size != 0 || default_groups.member?('*') end perm[:deny] = deny actions.each do |action, groups| group_names = groups.collect { |g| g.is_a?(Hash) ? g.keys : g }.flatten if groups node = Node.new(:action) allowed_groups = if groups && group_names.member?('*') group_map.values else names = group_map.keys & ((group_names || []) + @superuser) names.collect { |name| group_map[name] } end if (deny && allowed_groups.size == 0) || (!deny && allowed_groups.size > 0) node[:name] = action if block if allowed_groups.size > 0 assos = block.call(resource, allowed_groups) node[:associations] = assos if assos && assos.size > 0 else assos = block.call(resource, group_map.values) perm[:associations] = assos if assos && assos.size > 0 end end nodes << node elsif deny && allowed_groups.size > 0 && block assos = block.call(resource, group_map.values) perm[:associations] = assos if assos && assos.size > 0 end end # TODO is that right like this ? # only default_groups, i.e. no actions !!! if block && actions.size == 0 && deny assos = block.call(resource, group_map.values) perm[:associations] = assos if assos && assos.size > 0 end perms << perm end perms end |
#superuser_name ⇒ Object
16 17 18 |
# File 'lib/ixtlan/guard/guard.rb', line 16 def superuser_name @superuser[0] end |