Module: Auth::Authorization
- Included in:
- Server::Base
- Defined in:
- lib/jungle_path/app/auth/authorization.rb
Class Method Summary collapse
Instance Method Summary collapse
Class Method Details
.authorized_admin?(request, params, current_auth, db) ⇒ Boolean
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
# File 'lib/jungle_path/app/auth/authorization.rb', line 44 def self. request, params, current_auth, db = false if current_auth.(:admin) # auth_admin not allowed to deal with root users/keys/roles... = true parts = request.path_info.split('/') allowed = { 'organizations' => true, 'user_organizations' => true, 'images' => true, 'sentiment_sets' => true, 'events' => true, 'sessions' => true, 'moderators' => true, 'foci' => true, 'categories' => true } if request.path_info == "/users" # post... role_id = params[:role_id] = false if role_id and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) # :auth_admin not allowed to add a root user_role. elsif parts[1] == "users" # put or delete user_id = parts[2].to_i role_id = params[:role_id] = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id) # :auth_admin not allowed to modify data related to a user with a role of root. = false if and role_id and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) # :auth_admin not allowed to add a root user_role. elsif request.path_info == "/user_roles" # post... user_id = params[:user_id] role_id = params[:role_id] = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id) = false if and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) elsif parts[1] == "user_roles" # put or delete user_id = parts[2].to_i role_id = parts[3].to_i = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id) = false if and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) elsif allowed[parts[1]] = true else = false end end end |
Instance Method Details
#set_authorization(route_access) ⇒ Object
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# File 'lib/jungle_path/app/auth/authorization.rb', line 7 def route_access before do puts "verb: #{request.request_method}." puts "path: #{request.path_info}." = false = JunglePath::Authorization::Paths.is_open_path?(request, route_access) = JunglePath::Authorization::Paths.is_authenticated_path?(request, route_access) unless unless if request.get? = true if current_auth.(:root) = true if current_auth.(:read) end if request.post? or request.put? or request.delete? = true if current_auth.(:root) unless = true if current_auth.(:write) unless = true if request.path_info == "/query" and current_auth.(:read) unless = true if request.path_info == "/users/#{current_user.id}" unless = true if Auth::Authorization.(request, params, current_auth, db) unless = false if current_auth.has_restriction?(:read) end = false if current_auth.has_restriction?(:query_only) unless JunglePath::Authorization::Paths.is_query_only_path? request, current_auth end unless = "request was not allowed.\n\nrequest: #{request.request_method} #{request.path_info}\nuser_name: #{current_user.user_name}\nroles: #{current_auth.roles}\npermissions: #{current_auth.permissions}\nrestrictions: #{current_auth.restrictions}" # http status code 403 Forbidden. puts "request status: 403\n#{message}." halt 403, end end end |