Class: Mumukit::Auth::Permissions

Inherits:

Object

• Object
• Mumukit::Auth::Permissions

Includes:

Protection, Roles

Defined in:

lib/mumukit/auth/permissions.rb

Constant Summary

Constants included from Roles

Roles::ROLES

Instance Attribute Summary

• #scopes ⇒ Object

  Returns the value of attribute scopes.

Class Method Summary

• .dump(permission) ⇒ Object
• .load(json) ⇒ Object
• .parse(hash) ⇒ Object
• .reparse(something) ⇒ Object

Instance Method Summary

• #==(other) ⇒ Object (also: #eql?)
• #accessible_organizations ⇒ Object

  Deprecated: use ‘student_granted_organizations` organizations instead.

• #add_permission!(role, *grants) ⇒ Object
• #any_granted_organizations ⇒ Object
• #as_json(options = {}) ⇒ Object
• #as_set ⇒ Object
• #assign_to?(other, previous) ⇒ Boolean
• #delegate_to?(other) ⇒ Boolean
• #grant_strings_for(role) ⇒ Object
• #granted_organizations_for(role) ⇒ Object
• #has_permission?(role, resource_slug) ⇒ Boolean
• #has_role?(role) ⇒ Boolean
• #hash ⇒ Object
• #initialize(scopes = {}) ⇒ Permissions constructor

  A new instance of Permissions.

• #inspect ⇒ Object
• #merge(other) ⇒ Object
• #protect_permissions_assignment!(other, previous) ⇒ Object
• #remove_permission!(role, grant) ⇒ Object
• #role_allows?(role, resource_slug) ⇒ Boolean
• #scope_for(role) ⇒ Object
• #student_granted_organizations ⇒ Object

  Answers the organizations for which the user has been explicitly granted acceses as student.

• #to_h ⇒ Object
• #to_s ⇒ Object
• #update_permission!(role, old_grant, new_grant) ⇒ Object

Methods included from Protection

#protect!, #protect_delegation!

Constructor Details

#initialize(scopes = {}) ⇒ Permissions

Returns a new instance of Permissions.

# File 'lib/mumukit/auth/permissions.rb', line 9

def initialize(scopes={})
  raise 'invalid scopes' if scopes.any? { |key, value| value.class != Mumukit::Auth::Scope }

  @scopes = scopes.with_indifferent_access
end

Instance Attribute Details

#scopes ⇒ Object

Returns the value of attribute scopes.

# File 'lib/mumukit/auth/permissions.rb', line 7

def scopes
  @scopes
end

Class Method Details

.dump(permission) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 100

def self.dump(permission)
  permission.to_json
end

.load(json) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 92

def self.load(json)
  if json.nil?
    parse({})
  else
    parse(JSON.parse(json))
  end
end

.parse(hash) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 81

def self.parse(hash)
  return new if hash.blank?

  new(hash.map { |role, grants| [role, Mumukit::Auth::Scope.parse(grants)] }.to_h)
end

.reparse(something) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 87

def self.reparse(something)
  something ||= {}
  parse(something.to_h)
end

Instance Method Details

#==(other) ⇒ Object Also known as: eql?

# File 'lib/mumukit/auth/permissions.rb', line 117

def ==(other)
  self.class == other.class && self.scopes == other.scopes
end

#accessible_organizations ⇒ Object

Deprecated: use ‘student_granted_organizations` organizations instead

# File 'lib/mumukit/auth/permissions.rb', line 32

def accessible_organizations
  warn "Don't use accessible_organizations, since this method is probably not doing what you would expect.\n" +
       "Use student_granted_organizations if you still need its behaviour"
  student_granted_organizations
end

#add_permission!(role, *grants) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 52

def add_permission!(role, *grants)
  scope_for(role).add_grant! *grants
end

#any_granted_organizations ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 44

def any_granted_organizations
  scopes.values.flat_map(&:grants).map(&:organization).to_set
end

#as_json(options = {}) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 77

def as_json(options={})
  scopes.as_json(options)
end

#as_set ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 113

def as_set
  Set.new scopes.flat_map { |role, scope| scope.grants.map {|grant| [role, grant]} }
end

#assign_to?(other, previous) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mumukit/auth/permissions.rb', line 104

def assign_to?(other, previous)
  diff = previous.as_set ^ other.as_set
  diff.all? { |role, grant| has_permission?(role, grant) }
end

#delegate_to?(other) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mumukit/auth/permissions.rb', line 69

def delegate_to?(other)
  other.scopes.all? { |role, scope| has_all_permissions?(role, scope) }
end

#grant_strings_for(role) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 73

def grant_strings_for(role)
  scope_for(role).grants.map(&:to_s)
end

#granted_organizations_for(role) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 48

def granted_organizations_for(role)
  scope_for(role)&.grants&.map(&:organization).to_set
end

#has_permission?(role, resource_slug) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mumukit/auth/permissions.rb', line 15

def has_permission?(role, resource_slug)
  Mumukit::Auth::Role.parse(role).allows?(resource_slug, self)
end

#has_role?(role) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mumukit/auth/permissions.rb', line 23

def has_role?(role)
  scopes[role].present?
end

#hash ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 123

def hash
  scopes.hash
end

#inspect ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 131

def inspect
  "<Mumukit::Auth::Permissions #{to_s}>"
end

#merge(other) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 56

def merge(other)
  self.class.new(scopes.merge(other.scopes) { |_key, left, right| left.merge right })
end

#protect_permissions_assignment!(other, previous) ⇒ Object

Raises:

• (Mumukit::Auth::UnauthorizedAccessError)

# File 'lib/mumukit/auth/permissions.rb', line 109

def protect_permissions_assignment!(other, previous)
  raise Mumukit::Auth::UnauthorizedAccessError unless assign_to?(self.class.reparse(other), previous)
end

#remove_permission!(role, grant) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 60

def remove_permission!(role, grant)
  scope_for(role).remove_grant!(grant)
end

#role_allows?(role, resource_slug) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/mumukit/auth/permissions.rb', line 19

def role_allows?(role, resource_slug)
  scope_for(role).allows?(resource_slug)
end

#scope_for(role) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 27

def scope_for(role)
  self.scopes[role] ||= Mumukit::Auth::Scope.new
end

#student_granted_organizations ⇒ Object

Answers the organizations for which the user has been explicitly granted acceses as student. This method does not include the organizations the user has access because of the roles hierarchy

# File 'lib/mumukit/auth/permissions.rb', line 40

def student_granted_organizations
  granted_organizations_for :student
end

#to_h ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 135

def to_h
  as_json
end

#to_s ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 127

def to_s
  '!' + scopes.map { |role, scope| "#{role}:#{scope}" }.join(';')
end

#update_permission!(role, old_grant, new_grant) ⇒ Object

# File 'lib/mumukit/auth/permissions.rb', line 64

def update_permission!(role, old_grant, new_grant)
  remove_permission! role, old_grant
  add_permission! role, new_grant
end