Module: Auth::Authorization

Included in:

Server::Base

Defined in:

lib/jungle_path/app/auth/authorization.rb

Class Method Summary

• .authorized_admin?(request, params, current_auth, db) ⇒ Boolean

Instance Method Summary

• #set_authorization(route_access) ⇒ Object

Class Method Details

.authorized_admin?(request, params, current_auth, db) ⇒ Boolean

# File 'lib/jungle_path/app/auth/authorization.rb', line 44

def self.authorized_admin? request, params, current_auth, db
	authorized = false
	if current_auth.has_permission?(:admin)
		# auth_admin not allowed to deal with root users/keys/roles...

		authorized = true

		parts = request.path_info.split('/')

		allowed = {
			'organizations' => true,
			'user_organizations' => true,
			'images' => true,
			'sentiment_sets' => true,
			'events' => true,
			'sessions' => true,
			'moderators' => true,
			'foci' => true,
			'categories' => true
		}

		if request.path_info == "/users" # post...
			role_id = params[:role_id]
			authorized = false if role_id and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) # :auth_admin not allowed to add a root user_role.

		elsif parts[1] == "users" # put or delete
			user_id = parts[2].to_i
			role_id = params[:role_id]
			authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id) # :auth_admin not allowed to modify data related to a user with a role of root.
			authorized = false if authorized and role_id and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) # :auth_admin not allowed to add a root user_role.

		elsif request.path_info == "/user_roles" # post...
			user_id = params[:user_id]
			role_id = params[:role_id]
			authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id)
			authorized = false if authorized and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id)

		elsif parts[1] == "user_roles" # put or delete
			user_id = parts[2].to_i
			role_id = parts[3].to_i
			authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id)
			authorized = false if authorized and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id)

		elsif allowed[parts[1]]
			authorized = true

		else
			authorized = false
		end
	end
	authorized
end

Instance Method Details

#set_authorization(route_access) ⇒ Object

# File 'lib/jungle_path/app/auth/authorization.rb', line 7

def set_authorization route_access
	before do
		puts "verb: #{request.request_method}."
		puts "path: #{request.path_info}."

		authorized = false

		authorized = JunglePath::Authorization::Paths.is_open_path?(request, route_access)
		authorized = JunglePath::Authorization::Paths.is_authenticated_path?(request, route_access) unless authorized

		unless authorized
			if request.get?
				authorized = true if current_auth.has_permission?(:root)
				authorized = true if current_auth.has_permission?(:read)
			end

			if request.post? or request.put? or request.delete?
				authorized = true if current_auth.has_permission?(:root) unless authorized
				authorized = true if current_auth.has_permission?(:write) unless authorized
				authorized = true if request.path_info == "/query" and current_auth.has_permission?(:read) unless authorized
				authorized = true if request.path_info == "/users/#{current_user.id}" unless authorized
				authorized = true if Auth::Authorization.authorized_admin?(request, params, current_auth, db) unless authorized
				authorized = false if current_auth.has_restriction?(:read)
			end

			authorized = false if current_auth.has_restriction?(:query_only) unless JunglePath::Authorization::Paths.is_query_only_path? request, current_auth
		end

		unless authorized
			message = "request was not allowed.\n\nrequest: #{request.request_method} #{request.path_info}\nuser_name: #{current_user.user_name}\nroles: #{current_auth.roles}\npermissions: #{current_auth.permissions}\nrestrictions: #{current_auth.restrictions}"
			# http status code 403 Forbidden.
			puts "request status: 403\n#{message}."
			halt 403, message
		end
	end
end