Class: PapersPlease::Policy

Inherits:

Object

• Object
• PapersPlease::Policy

Defined in:

lib/papers_please/policy.rb

Instance Attribute Summary

• #roles ⇒ Object

  Returns the value of attribute roles.

• #user ⇒ Object readonly

  Returns the value of attribute user.

Instance Method Summary

• #add_permissions(keys) ⇒ Object (also: #permit)

  Add permissions to the Role.

• #add_role(name, predicate = nil, &block) ⇒ Object (also: #role)

  Add a role to the Policy.

• #applicable_roles ⇒ Object

  Fetch roles that apply to the current user.

• #authorize!(action, subject) ⇒ Object
• #can?(action, subject = nil) ⇒ Boolean

  Look up a stored permission block and call with the current user and subject.

• #cannot?(*args) ⇒ Boolean
• #configure ⇒ Object
• #initialize(user) ⇒ Policy constructor

  A new instance of Policy.

• #scope_for(action, klass) ⇒ Object (also: #query)

  Look up a stored scope block and call with the current user and class.

Constructor Details

#initialize(user) ⇒ Policy

# File 'lib/papers_please/policy.rb', line 6

def initialize(user)
  @user          = user
  @roles         = {}
  @cache         = {}

  configure
end

Instance Attribute Details

#roles ⇒ Object

Returns the value of attribute roles.

# File 'lib/papers_please/policy.rb', line 3

def roles
  @roles
end

#user ⇒ Object (readonly)

Returns the value of attribute user.

# File 'lib/papers_please/policy.rb', line 4

def user
  @user
end

Instance Method Details

#add_permissions(keys) ⇒ Object Also known as: permit

Add permissions to the Role

# File 'lib/papers_please/policy.rb', line 31

def add_permissions(keys)
  return unless block_given?

  Array(keys).each do |key|
    raise MissingRole unless roles.key?(key)

    yield roles[key]
  end
end

#add_role(name, predicate = nil, &block) ⇒ Object Also known as: role

Add a role to the Policy

Raises:

• (DuplicateRole)

# File 'lib/papers_please/policy.rb', line 19

def add_role(name, predicate = nil, &block)
  name = name.to_sym
  raise DuplicateRole if roles.key?(name)

  role = Role.new(name, predicate: predicate, definition: block)
  roles[name] = role

  role
end

#applicable_roles ⇒ Object

Fetch roles that apply to the current user

# File 'lib/papers_please/policy.rb', line 88

def applicable_roles
  @applicable_roles ||= roles.select do |_, role|
    role.applies_to?(user)
  end
end

#authorize!(action, subject) ⇒ Object

Raises:

• (AccessDenied)

# File 'lib/papers_please/policy.rb', line 69

def authorize!(action, subject)
  raise AccessDenied, "Access denied for #{action} on #{subject}" if cannot?(action, subject)

  subject
end

#can?(action, subject = nil) ⇒ Boolean

Look up a stored permission block and call with the current user and subject

# File 'lib/papers_please/policy.rb', line 44

def can?(action, subject = nil)
  applicable_roles.each do |_, role|
    permission = role.find_permission(action, subject)
    next if permission.nil?

    # Proxy permission check if granted by other
    if permission.granted_by_other?
      # Get proxied subject
      subject = subject.is_a?(Class) ? permission.granting_class : permission.granted_by.call(user, subject)

      # Get proxied permission
      permission = role.find_permission(action, subject)
    end

    # Check permission
    return permission.granted?(user, subject, action) unless permission.nil?
  end

  false
end

#cannot?(*args) ⇒ Boolean

# File 'lib/papers_please/policy.rb', line 65

def cannot?(*args)
  !can?(*args)
end

#configure ⇒ Object

Raises:

• (NotImplementedError)

# File 'lib/papers_please/policy.rb', line 14

def configure
  raise NotImplementedError, 'The #configure method of the access policy was not implemented'
end

#scope_for(action, klass) ⇒ Object Also known as: query

Look up a stored scope block and call with the current user and class

# File 'lib/papers_please/policy.rb', line 77

def scope_for(action, klass)
  applicable_roles.each do |_, role|
    permission = role.find_permission(action, klass)
    return permission.fetch(user, klass, action) unless permission.nil?
  end

  nil
end