Class: Shamu::Security::ActiveRecordPolicy

Inherits:

Policy

• Object
• Policy
• Shamu::Security::ActiveRecordPolicy

Defined in:

lib/shamu/security/active_record_policy.rb

Overview

Extends the standard Policy class to add ActiveRecord::Relation refinements based on granted policies.

Examples:

class UserPolicy < Shamu::Security::ActiveRecordPolicy
  private

    def permissions
      permit :read, UserEntity do |user|
        user.public?
      end

      refine :read, Models::User do |users, additional_context|
        users.where( public: true )
      end
    end

end

class UsersService < Shamu::Services::Service
  include Shamu::Security::Support

  def list
    entity_list policy.refine_relation( :list, Model::User.all ) do |record|
      scorpion.fetch UserEntity, record: record
    end
  end

  private

    def policy_class
      UserPolicy
    end
end

Instance Attribute Summary

Attributes inherited from Policy

#principal, #related_user_ids, #roles

Dependencies

• #refine(*actions, model_class) {|relation, additional_context| ... }

  Declare a refinement that should be applied to an ActiveRecord::Relation for the given actions.

Instance Method Summary

• #refine_relation(action, relation, additional_context = nil) ⇒ ActiveRecord::Relation

  Refine an ActiveRecord::Relation to select only those records permitted for the given action.

Methods inherited from Policy

#alias_action, #authorize!, #deny, #in_role?, #initialize, #is_principal?, #permissions, #permit, #permit?, #resource, #when_elevated

Methods included from Roles

expand_roles, role, role_defined?, roles

Constructor Details

This class inherits a constructor from Shamu::Security::Policy

Instance Method Details

#refine(*actions, model_class) {|relation, additional_context| ... }

This method returns an undefined value.

Declare a refinement that should be applied to an ActiveRecord::Relation for the given actions. #refine_relation will yield the relation to any matching refinement to reduce the scope of available records available for projection.

Examples:

def permissions
  permit :read, UserEntity do |user|
    user.public?
  end
  refine :read, Models::User do |users, additional_context|
    users.where( public: true )
  end
end

Parameters:

• actions (Array<Symbol>) —

  that should be refined.

• model_class (Class) —

  the ActiveRecord::Base class to refine.

Yields:

• (relation, additional_context)

Yield Parameters:

• relation (ActiveRecord::Relation) —

  to refine.

• additional_context (Object) —

  offered to #refine_relation.

Yield Returns:

• (ActiveRecord::Relation, nil) —

  the refined relation, or nil if no refinement should be applied.

# File 'lib/shamu/security/active_record_policy.rb', line 94

def refine( *actions, model_class, &block )
  fail "No actions defined" if actions.blank?
  refinements << PolicyRefinement.new( expand_aliases( actions ), model_class, block )
end

#refine_relation(action, relation, additional_context = nil) ⇒ ActiveRecord::Relation

Refine an ActiveRecord::Relation to select only those records permitted for the given action.

Parameters:

• action (Symbol) —

  to perform on the Entities::Entity that will be projected from the records.

• relation (ActiveRecord::Relation) —

  to refine.

• additional_context (Object) (defaults to: nil) —

  that the #refine block may consider when applying the refinement.

Returns:

• (ActiveRecord::Relation) —

  the refined relation.

# File 'lib/shamu/security/active_record_policy.rb', line 49

def refine_relation( action, relation, additional_context = nil )
  resolve_permissions
  refined = false

  refinements.each do |refinement|
    if refinement.match?( action, relation, additional_context )
      refined  = true
      relation = refinement.apply( relation, additional_context ) || relation
    end
  end

  refined ? relation : relation.none
end