Module: RoleAuthorization::Controller::InstanceMethods

Defined in:
lib/role_authorization/controller.rb

Overview

ClassMethods

Instance Method Summary collapse

Instance Method Details

#authorized?(url, method = nil) ⇒ Boolean

Returns:

  • (Boolean) 


84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
 
# File 'lib/role_authorization/controller.rb', line 84

def authorized?(url, method = nil)
  return false unless url
  return true if current_user && current_user.admin?

  unless url.is_a?(Hash)
    method ||= (params[:method] || request.method)
    url_parts = URI::split(url.strip)
    path = url_parts[5]
  end

  begin
    hash = if url.is_a?(Hash)
             url
           else
             Rails.application.routes.recognize_path(path, :method => method)
           end

    if hash
      klass = (hash[:controller].camelize + "Controller").constantize.new
      klass.params = hash
      klass.instance_variable_set(:@current_user, current_user)

      return authorized_action?(klass, hash[:controller], hash[:action].to_sym, hash[:id])
    end
  rescue Exception => e
    Rails.logger.error e.inspect
    Rails.logger.error "when trying to #{method} #{path}"
    e.backtrace.each {|line| Rails.logger.error line }
    # continue on
  end

  unless url.is_a?(Hash)
    # Mailto link
    return true if url =~ /^mailto:/

    # Public file
    file = File.join(Rails.root, 'public', url)
    return true if File.exists?(file)

    # Passing in different domain
    return remote_url?(url_parts[2])
  end
end

#authorized_action?(controller_klass, controller, action, id = nil) ⇒ Boolean

Returns:

  • (Boolean) 


49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'lib/role_authorization/controller.rb', line 49

def authorized_action?(controller_klass, controller, action, id = nil)
  # by default admins see everything
  return true if current_user && current_user.admin?

  ruleset = self.class.ruleset[controller]
  groups = RoleAuthorization::AllowGroup.get(self.class.allowable_groups[controller])

  if defined?(::DEBUG_AUTHORIZATION_RULES) == 'constant'
    Rails.logger.info "#" * 30
    Rails.logger.info controller.to_s
    Rails.logger.info ruleset.to_s
    Rails.logger.info "#" * 30
  end

  # we have no ruleset for this controller or any allow groups so deny
  return false if ruleset.nil? && groups.empty?

  # first check controller ruleset
  unless ruleset.nil?
    return true if ruleset.authorized?(controller_klass, controller, :all, id)
    return true if ruleset.authorized?(controller_klass, controller, action, id)
  end

  # next check any allow groups
  unless groups.empty?
    groups.each do |group|
      return true if group.authorized?(controller_klass, controller, :all, id)
      return true if group.authorized?(controller_klass, controller, action, id)
    end
  end

  # finally deny if they haven't passed any rules
  return false
end

#check_request_authorizationObject 



42
43
44
45
46
47
 
# File 'lib/role_authorization/controller.rb', line 42

def check_request_authorization
  params[:role_authorization_user_data] = nil
  unless authorized_action?(self, self.class.controller_rule_name, action_name.to_sym, params[:id])
    raise SecurityError, "You do not have the required clearance to access this resource."
  end
end

#remote_url?(domain = nil) ⇒ Boolean

Returns:

  • (Boolean) 


128
129
130
131
 
# File 'lib/role_authorization/controller.rb', line 128

def remote_url?(domain = nil)
  return false if domain.nil? || domain.strip.length == 0
  request.host.downcase != domain.downcase
end