Module: LogicalAuthz::Application::ClassMethods
- Defined in:
- lib/logical_authz/application.rb
Instance Method Summary collapse
- #access_controls(action) ⇒ Object
-
#admin_authorized(*actions) ⇒ Object
This method exists for backwards compatibility.
- #authorization_by_default(default_allow) ⇒ Object
- #authorization_needed?(action) ⇒ Boolean
- #check_acls(criteria, result_hash = nil) ⇒ Object
- #clear_policies! ⇒ Object
- #default_authorization ⇒ Object
-
#dynamic_authorization(&block) ⇒ Object
This method exists for backwards compatibility.
- #get_policy(action) ⇒ Object
-
#grant_aliases(hash) ⇒ Object
(also: #grant_alias)
grant_aliases :new => :create # => anyone with authorization to :create can also access :new (Read as: “for ‘new’ read ‘create’”).
- #grant_aliases_for(action) ⇒ Object
- #inspect_criteria(criteria) ⇒ Object
- #laz_debug ⇒ Object
- #move_policies(from, to) ⇒ Object
-
#needs_authorization(*actions) ⇒ Object
(also: #authorized_if_permitted)
It was tempting to build this on before_filter directly - however, inspecting a controller to see if a particular filter will run for a particular action is fragile.
- #normalize_criteria(criteria) ⇒ Object
-
#owner_authorized(*actions, &block) ⇒ Object
This method exists for backwards compatibility.
- #policy(*actions, &block) ⇒ Object
- #policy_helper(name, &body) ⇒ Object
- #policy_helper_module ⇒ Object
- #publicly_allowed(*actions) ⇒ Object
- #reset_policy(*actions) ⇒ Object
- #set_policy(acl, action) ⇒ Object
- #standard_grant_aliases ⇒ Object
- #unalias_actions(actions) ⇒ Object
Instance Method Details
#access_controls(action) ⇒ Object
289 290 291 292 293 294 295 296 |
# File 'lib/logical_authz/application.rb', line 289 def access_controls(action) controller_acl = read_inheritable_attribute(:controller_access_control) || [] return controller_acl if action.nil? action = unalias_actions([action]).first action_acl = (read_inheritable_attribute(:action_access_control) || {})[action.to_sym] || [] laz_debug{ { :checking_policy_for => action, :policies_exist_for => (read_inheritable_attribute(:action_access_control) || {}).keys, :action_acl => action_acl, :controller_acl => controller_acl } } action_acl + controller_acl end |
#admin_authorized(*actions) ⇒ Object
This method exists for backwards compatibility. It’s likely more readable to use the policy DSL
357 358 359 360 361 362 |
# File 'lib/logical_authz/application.rb', line 357 def (*actions) policy(*actions) do |pol| allow :if_admin existing_policy end end |
#authorization_by_default(default_allow) ⇒ Object
172 173 174 |
# File 'lib/logical_authz/application.rb', line 172 def (default_allow) write_inheritable_attribute(:authorization_policy, default_allow) end |
#authorization_needed?(action) ⇒ Boolean
185 186 187 188 189 |
# File 'lib/logical_authz/application.rb', line 185 def (action) acl = access_controls(action) return true unless acl.empty? return !read_inheritable_attribute(:authorization_policy) || false end |
#check_acls(criteria, result_hash = nil) ⇒ Object
298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 |
# File 'lib/logical_authz/application.rb', line 298 def check_acls(criteria, result_hash = nil) result_hash ||= {} policy = nil acl = access_controls(criteria[:action]) result_hash.merge! :checked_rules => [], :determining_rule => nil, :all_rules => acl acl.each do |control| result_hash[:checked_rules] << control policy = control.evaluate(criteria) unless policy.nil? laz_debug{"Rule triggered - result: #{policy.inspect}"} result_hash.merge! :determining_rule => control, :reason => :rule_triggered, :result => policy break end end return policy end |
#clear_policies! ⇒ Object
147 148 149 150 |
# File 'lib/logical_authz/application.rb', line 147 def clear_policies! write_inheritable_attribute(:controller_access_control, []) write_inheritable_attribute(:action_access_control, {}) end |
#default_authorization ⇒ Object
176 177 178 179 180 181 182 183 |
# File 'lib/logical_authz/application.rb', line 176 def policy = read_inheritable_attribute(:authorization_policy) if policy.nil? true else policy end end |
#dynamic_authorization(&block) ⇒ Object
This method exists for backwards compatibility. It’s likely more readable to use the policy DSL
339 340 341 342 343 344 |
# File 'lib/logical_authz/application.rb', line 339 def (&block) policy do |pol| allow(&block) existing_policy end end |
#get_policy(action) ⇒ Object
152 153 154 155 156 157 158 |
# File 'lib/logical_authz/application.rb', line 152 def get_policy(action) if action.nil? read_inheritable_attribute(:controller_access_control) || [] else (read_inheritable_attribute(:action_access_control) || {})[action.to_sym] end end |
#grant_aliases(hash) ⇒ Object Also known as: grant_alias
grant_aliases :new => :create # => anyone with authorization to :create can also access :new (Read as: “for ‘new’ read ‘create’”)
211 212 213 214 215 216 217 218 219 220 221 222 223 |
# File 'lib/logical_authz/application.rb', line 211 def grant_aliases(hash) aliases = read_inheritable_attribute(:grant_alias_hash) || Hash.new{|h,k| h[k] = []} aliased = read_inheritable_attribute(:aliased_grants) || {} hash.each_pair do |grant, allows| [*allows].each do |allowed| aliases[allowed.to_sym] << grant.to_sym aliased[grant.to_sym] = allowed.to_sym move_policies(grant, allowed) end end write_inheritable_attribute(:grant_alias_hash, aliases) write_inheritable_attribute(:aliased_grants, aliased) end |
#grant_aliases_for(action) ⇒ Object
237 238 239 240 241 242 243 244 245 246 |
# File 'lib/logical_authz/application.rb', line 237 def grant_aliases_for(action) grant_aliases = read_inheritable_attribute(:grant_alias_hash) action = action.to_sym if not grant_aliases.nil? and grant_aliases.has_key?(action) return grant_aliases[action] else return [] end end |
#inspect_criteria(criteria) ⇒ Object
248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 |
# File 'lib/logical_authz/application.rb', line 248 def inspect_criteria(criteria) criteria.inject({}) do |hash, name_value| name, value = *name_value case value when ActiveRecord::Base hash[name] = {value.class.name => value.id} when ActionController::Base hash[name] = value.class else hash[name] = value end hash end.inspect end |
#laz_debug ⇒ Object
86 87 88 |
# File 'lib/logical_authz/application.rb', line 86 def laz_debug LogicalAuthz::laz_debug{yield} if block_given? end |
#move_policies(from, to) ⇒ Object
191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 |
# File 'lib/logical_authz/application.rb', line 191 def move_policies(from, to) policies = read_inheritable_attribute(:action_access_control) if policies.nil? policies = {} write_inheritable_attribute(:action_access_control, policies) end if policies.has_key?(from.to_sym) if policies.has_key?(to.to_sym) #Should be raise, at some future point warn "Moving policies defined on #{self.name} for #{from} would clobber policies on #{to}" end policies[to.to_sym] = policies[from.to_sym] policies.delete(from.to_sym) end end |
#needs_authorization(*actions) ⇒ Object Also known as:
It was tempting to build this on before_filter directly - however, inspecting a controller to see if a particular filter will run for a particular action is fragile.
319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 |
# File 'lib/logical_authz/application.rb', line 319 def (*actions) policy(*actions) do allow if_allowed { deny :authenticated allow AccessControl::Permitted.new({:group => LogicalAuthz::Configuration.}) } allow :permitted existing_policy end policy do existing_policy deny :always end end |
#normalize_criteria(criteria) ⇒ Object
264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 |
# File 'lib/logical_authz/application.rb', line 264 def normalize_criteria(criteria) criteria[:group] = criteria[:group].nil? ? [] : [*criteria[:group]] if criteria.has_key?(:user) and not criteria[:user].nil? criteria[:group] += criteria[:user].groups end #if criteria[:group].empty? # criteria[:group] += LogicalAuthz::unauthorized_groups #end criteria[:group], not_groups = criteria[:group].partition do |group| LogicalAuthz::Configuration::group_model === group end Rails.logger.warn{ "Found in criteria[:groups]: #{not_groups.inspect}"} unless not_groups.empty? actions = [*criteria[:action]].compact criteria[:action_aliases] = actions.map do |action| grant_aliases_for(action) end.flatten + actions.map{|action| action.to_sym} criteria[:controller] = self criteria[:controller_path] = controller_path laz_debug{"LogicalAuthz: final computed authz criteria: #{inspect_criteria(criteria)}"} return criteria end |
#owner_authorized(*actions, &block) ⇒ Object
This method exists for backwards compatibility. It’s likely more readable to use the policy DSL
348 349 350 351 352 353 |
# File 'lib/logical_authz/application.rb', line 348 def (*actions, &block) policy(*actions) do |pol| allow AccessControl::Owner.new(&block) existing_policy end end |
#policy(*actions, &block) ⇒ Object
123 124 125 126 127 128 129 130 131 132 133 134 135 |
# File 'lib/logical_authz/application.rb', line 123 def policy(*actions, &block) before_filter CheckAuthorization builder = AccessControl::Builder.new(policy_helper_module) builder.define(&block) if actions.empty? set_policy(builder.list(get_policy(nil)), nil) else actions = unalias_actions(actions) actions.each do |action| set_policy(builder.list(get_policy(action)), action) end end end |
#policy_helper(name, &body) ⇒ Object
117 118 119 120 121 |
# File 'lib/logical_authz/application.rb', line 117 def policy_helper(name, &body) policy_helper_module.module_eval do define_method name, &body end end |
#policy_helper_module ⇒ Object
102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
# File 'lib/logical_authz/application.rb', line 102 def policy_helper_module @policy_helper_module ||= begin mod = Module.new parent_mod = read_inheritable_attribute(:policy_helper_module) unless parent_mod.nil? mod.class_eval { include(parent_mod) } end write_inheritable_attribute(:policy_helper_module, mod) mod end end |
#publicly_allowed(*actions) ⇒ Object
90 91 92 93 94 95 96 97 98 99 100 |
# File 'lib/logical_authz/application.rb', line 90 def publicly_allowed(*actions) if actions.empty? (true) reset_policy else reset_policy(*actions) policy(*actions) do |pol| allow :always end end end |
#reset_policy(*actions) ⇒ Object
137 138 139 140 141 142 143 144 145 |
# File 'lib/logical_authz/application.rb', line 137 def reset_policy(*actions) if actions.empty? set_policy([], nil) else unalias_actions(actions).each do |action| set_policy([], action) end end end |
#set_policy(acl, action) ⇒ Object
160 161 162 163 164 165 166 167 168 169 170 |
# File 'lib/logical_authz/application.rb', line 160 def set_policy(acl, action) if action.nil? laz_debug{ "Policy set: #{self.name} - all: #{acl.inspect}" } write_inheritable_attribute(:controller_access_control, acl) else laz_debug{ "Policy set: #{self.name}##{action}: #{acl.inspect}" } write_inheritable_hash(:action_access_control, {}) policies = read_inheritable_attribute(:action_access_control) policies[action.to_sym] = acl end end |
#standard_grant_aliases ⇒ Object
226 227 228 |
# File 'lib/logical_authz/application.rb', line 226 def standard_grant_aliases grant_aliases :edit => :update end |
#unalias_actions(actions) ⇒ Object
230 231 232 233 234 235 |
# File 'lib/logical_authz/application.rb', line 230 def unalias_actions(actions) aliased_actions = read_inheritable_attribute(:aliased_grants) || {} actions.compact.map do |action| aliased_actions[action.to_sym] || action end.compact.uniq end |