Module: Lockdown::Rules

Included in:

System

Defined in:

lib/lockdown/rules.rb

Instance Attribute Summary

• #options ⇒ Object

  Returns the value of attribute options.

• #permission_objects ⇒ Object readonly

  Returns the value of attribute permission_objects.

• #permissions ⇒ Object

  Returns the value of attribute permissions.

• #protected_access ⇒ Object readonly

  Returns the value of attribute protected_access.

• #public_access ⇒ Object readonly

  Returns the value of attribute public_access.

• #user_groups ⇒ Object

  Returns the value of attribute user_groups.

Instance Method Summary

• #access_rights_for_permission(perm) ⇒ Object

  Return array of controller/action for a permission.

• #access_rights_for_user(usr) ⇒ Object

  Return array of controller/action values user can access.

• #access_rights_for_user_group(user_group_sym) ⇒ Object

  Return array of controller/action for a user group.

• #administrator?(usr) ⇒ Boolean

  Test user for administrator rights.

• #get_permissions ⇒ Object

  Returns array of permission names as symbols.

• #get_user_groups ⇒ Object

  Returns array of user group names as symbols.

• #make_user_administrator(usr) ⇒ Object

  Pass in a user object to be associated to the administrator user group The group will be created if it doesn’t exist.

• #permission_assigned_automatically?(permmision_symbol) ⇒ Boolean

  These permissions are assigned by the system.

• #permission_exists?(permission_symbol) ⇒ Boolean (also: #has_permission?)

  Is the permission defined?.

• #permissions_assignable_for_user(usr) ⇒ Object

  Similar to user_groups_assignable_for_user, this method should be used to restrict users from creating a user group with more power than they have been allowed.

• #permissions_for_user_group(ug) ⇒ Object

  Returns and array of permission symbols for the user group.

• #process_rules ⇒ Object
• #protected_access?(perm_symbol) ⇒ Boolean

  returns true if the permission is public.

• #public_access?(perm_symbol) ⇒ Boolean

  returns true if the permission is public.

• #set_defaults ⇒ Object
• #set_permission(name) ⇒ Object

  Creates new permission object Refer to the Permission object for the full functionality.

• #set_protected_access(*perms) ⇒ Object

  Defines protected access by the permission symbols.

• #set_public_access(*perms) ⇒ Object

  Defines public access by the permission symbols.

• #set_user_group(name, *perms) ⇒ Object

  Define a user groups by name and permission symbol(s).

• #standard_authorized_user_rights ⇒ Object

  Returns array of controller/action values all logged in users can access.

• #user_group_exists?(user_group_symbol) ⇒ Boolean (also: #has_user_group?)

  Is the user group defined? The :administrators user group always exists.

• #user_groups_assignable_for_user(usr) ⇒ Object

  Use this for the management screen to restrict user group list to the user.

• #user_has_user_group?(usr, sym) ⇒ Boolean

  Pass in user object and symbol for name of user group.

Instance Attribute Details

#options ⇒ Object

Returns the value of attribute options.

# File 'lib/lockdown/rules.rb', line 3

def options
  @options
end

#permission_objects ⇒ Object (readonly)

Returns the value of attribute permission_objects.

# File 'lib/lockdown/rules.rb', line 10

def permission_objects
  @permission_objects
end

#permissions ⇒ Object

Returns the value of attribute permissions.

# File 'lib/lockdown/rules.rb', line 4

def permissions
  @permissions
end

#protected_access ⇒ Object (readonly)

Returns the value of attribute protected_access.

# File 'lib/lockdown/rules.rb', line 7

def protected_access
  @protected_access
end

#public_access ⇒ Object (readonly)

Returns the value of attribute public_access.

# File 'lib/lockdown/rules.rb', line 8

def public_access
  @public_access
end

#user_groups ⇒ Object

Returns the value of attribute user_groups.

# File 'lib/lockdown/rules.rb', line 5

def user_groups
  @user_groups
end

Instance Method Details

#access_rights_for_permission(perm) ⇒ Object

Return array of controller/action for a permission

# File 'lib/lockdown/rules.rb', line 187

def access_rights_for_permission(perm)
  sym = Lockdown.get_symbol(perm)

  permissions[sym]
rescue 
  raise SecurityError, "Permission requested is not defined: #{sym}"
end

#access_rights_for_user(usr) ⇒ Object

Return array of controller/action values user can access.

# File 'lib/lockdown/rules.rb', line 162

def access_rights_for_user(usr)
  return unless usr
  return :all if administrator?(usr)

  rights = standard_authorized_user_rights
    
  user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
  user_groups.each do |grp|
    permissions_for_user_group(grp).each do |perm|
      rights += access_rights_for_permission(perm) 
    end
  end
  rights
end

#access_rights_for_user_group(user_group_sym) ⇒ Object

Return array of controller/action for a user group

# File 'lib/lockdown/rules.rb', line 178

def access_rights_for_user_group(user_group_sym)
  res = []
  permissions_for_user_group(user_group_sym).each do |perm|
    res << access_rights_for_permission(perm)
  end
  res.flatten
end

#administrator?(usr) ⇒ Boolean

Test user for administrator rights

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 197

def administrator?(usr)
  user_has_user_group?(usr, Lockdown.administrator_group_symbol)
end

#get_permissions ⇒ Object

Returns array of permission names as symbols

# File 'lib/lockdown/rules.rb', line 101

def get_permissions
  permissions.keys
end

#get_user_groups ⇒ Object

Returns array of user group names as symbols

# File 'lib/lockdown/rules.rb', line 130

def get_user_groups
  user_groups.keys
end

#make_user_administrator(usr) ⇒ Object

Pass in a user object to be associated to the administrator user group The group will be created if it doesn’t exist

# File 'lib/lockdown/rules.rb', line 149

def make_user_administrator(usr)
  user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
  user_groups << Lockdown.user_group_class.
    find_or_create_by_name(Lockdown.administrator_group_string)
end

#permission_assigned_automatically?(permmision_symbol) ⇒ Boolean

These permissions are assigned by the system

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 125

def permission_assigned_automatically?(permmision_symbol)
  public_access?(permmision_symbol) || protected_access?(permmision_symbol)
end

#permission_exists?(permission_symbol) ⇒ Boolean Also known as: has_permission?

Is the permission defined?

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 106

def permission_exists?(permission_symbol)
  get_permissions.include?(permission_symbol)
end

#permissions_assignable_for_user(usr) ⇒ Object

Similar to user_groups_assignable_for_user, this method should be used to restrict users from creating a user group with more power than they have been allowed.

# File 'lib/lockdown/rules.rb', line 238

def permissions_assignable_for_user(usr)
  return [] if usr.nil?
  if administrator?(usr)
    get_permissions.collect do |k| 
      ::Permission.find_by_name(Lockdown.get_string(k))
    end.compact
  else
    user_groups_assignable_for_user(usr).collect do |g| 
      g.permissions
    end.flatten.compact
  end
end

#permissions_for_user_group(ug) ⇒ Object

Returns and array of permission symbols for the user group

# File 'lib/lockdown/rules.rb', line 252

def permissions_for_user_group(ug)
  sym = Lockdown.get_symbol(ug)
  perm_array = []  

  if has_user_group?(sym)
    permissions = user_groups[sym] || []
  else
    if ug.respond_to?(:permissions)
      permissions = ug.permissions
    else
      raise GroupUndefinedError, "#{ug} not found in init.rb and does not respond to #permissions"
    end
  end


  permissions.each do |perm|
    perm_sym = Lockdown.get_symbol(perm)

    unless permission_exists?(perm_sym)
      msg = "Permission associated to User Group is invalid: #{perm}"
      raise SecurityError, msg
    end

    perm_array << perm_sym
  end

  perm_array 
end

#process_rules ⇒ Object

# File 'lib/lockdown/rules.rb', line 281

def process_rules
  parse_permissions
  validate_user_groups
end

#protected_access?(perm_symbol) ⇒ Boolean

returns true if the permission is public

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 119

def protected_access?(perm_symbol)
  obj = find_permission_object(perm_symbol)
  obj.nil? ? false : obj.protected_access?
end

#public_access?(perm_symbol) ⇒ Boolean

returns true if the permission is public

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 113

def public_access?(perm_symbol)
  obj = find_permission_object(perm_symbol)
  obj.nil? ? false : obj.public_access? 
end

#set_defaults ⇒ Object

# File 'lib/lockdown/rules.rb', line 12

def set_defaults
  @permissions  = {}
  @user_groups  = {}
  @options      = {}

  @permission_objects = {}

  @public_access      = []
  @protected_access   = []

  @options = {
    :session_timeout => (60 * 60),
    :who_did_it => :current_user_id,
    :default_who_did_it => 1,
    :logout_on_access_violation => false,
    :access_denied_path => "/",
    :successful_login_path => "/",
    :subdirectory => nil,
    :skip_db_sync_in => ["test"],
    :link_separator => ' | ',
    :user_group_model => "UserGroup",
    :user_model => "User" 
  }
end

#set_permission(name) ⇒ Object

Creates new permission object

Refer to the Permission object for the full functionality

# File 'lib/lockdown/rules.rb', line 43

def set_permission(name)
  @permission_objects[name] = Lockdown::Permission.new(name)
end

#set_protected_access(*perms) ⇒ Object

Defines protected access by the permission symbols

Example

set_public_access(:permission_one, :permission_two)

# File 'lib/lockdown/rules.rb', line 69

def set_protected_access(*perms)
  perms.each do |perm_symbol|
    perm = find_permission_object(perm_symbol)
    if perm
      perm.set_as_protected_access 
    else
      msg = "Permission not found: #{perm_symbol}"
      raise Lockdown::InvalidRuleAssignment, msg
    end
  end
end

#set_public_access(*perms) ⇒ Object

Defines public access by the permission symbols

Example

set_public_access(:permission_one, :permission_two)

# File 'lib/lockdown/rules.rb', line 52

def set_public_access(*perms)
  perms.each do |perm_symbol|
    perm = find_permission_object(perm_symbol)
    if perm
      perm.set_as_public_access 
    else
      msg = "Permission not found: #{perm_symbol}"
      raise Lockdown::InvalidRuleAssignment, msg
    end
  end
end

#set_user_group(name, *perms) ⇒ Object

Define a user groups by name and permission symbol(s)

Example

set_user_group(:managment_group, :permission_one, :permission_two)

# File 'lib/lockdown/rules.rb', line 86

def set_user_group(name, *perms)
  user_groups[name] ||= []
  perms.each do |perm|
    if permission_assigned_automatically?(perm)
      raise Lockdown::InvalidPermissionAssignment, "Permission is assigned automatically.  Please remove it from #{name} user group"
    end
    user_groups[name].push(perm)
  end
end

#standard_authorized_user_rights ⇒ Object

Returns array of controller/action values all logged in users can access.

# File 'lib/lockdown/rules.rb', line 157

def standard_authorized_user_rights
  public_access + protected_access 
end

#user_group_exists?(user_group_symbol) ⇒ Boolean Also known as: has_user_group?

Is the user group defined?

The :administrators user group always exists

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 136

def user_group_exists?(user_group_symbol)
  return true if user_group_symbol == Lockdown.administrator_group_symbol
  get_user_groups.include?(user_group_symbol)
end

#user_groups_assignable_for_user(usr) ⇒ Object

Use this for the management screen to restrict user group list to the user. This will prevent a user from creating a user with more power than him/her self.

# File 'lib/lockdown/rules.rb', line 212

def user_groups_assignable_for_user(usr)
  return [] if usr.nil?
  ug_table = Lockdown.user_groups_hbtm_reference.to_s
  if administrator?(usr)
    Lockdown.user_group_class.find_by_sql "      select \#{ug_table}.* from \#{ug_table} order by \#{ug_table}.name\n    SQL\n  else\n    usr_table = Lockdown.users_hbtm_reference.to_s\n    if usr_table < ug_table\n      join_table = \"\#{usr_table}_\#{ug_table}\"\n    else\n      join_table = \"\#{ug_table}_\#{usr_table}\"\n    end\n    Lockdown.user_group_class.find_by_sql <<-SQL\n        select \#{ug_table}.* from \#{ug_table}, \#{join_table}\n         where \#{ug_table}.id = \#{join_table}.\#{Lockdown.user_group_id_reference}\n         and \#{join_table}.\#{Lockdown.user_id_reference} = \#{usr.id}   \n         order by \#{ug_table}.name\n    SQL\n  end\nend\n"

#user_has_user_group?(usr, sym) ⇒ Boolean

Pass in user object and symbol for name of user group

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 202

def user_has_user_group?(usr, sym)
  user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
  user_groups.any? do |ug|
    Lockdown.convert_reference_name(ug.name) == sym
  end
end