Class: Authorization::Engine

Inherits:

Object

• Object
• Authorization::Engine

Defined in:

lib/authorization.rb

Overview

Authorization::Engine implements the reference monitor. It may be used for querying the permission and retrieving obligations under which a certain privilege is granted for the current user.

Defined Under Namespace

Classes: AttributeValidator

Instance Attribute Summary

• #auth_rules ⇒ Object readonly

  Returns the value of attribute auth_rules.

• #privilege_hierarchy ⇒ Object readonly

  Returns the value of attribute privilege_hierarchy.

• #privileges ⇒ Object readonly

  Returns the value of attribute privileges.

• #rev_priv_hierarchy ⇒ Object readonly

  Returns the value of attribute rev_priv_hierarchy.

• #role_descriptions ⇒ Object readonly

  Returns the value of attribute role_descriptions.

• #role_hierarchy ⇒ Object readonly

  Returns the value of attribute role_hierarchy.

• #role_titles ⇒ Object readonly

  Returns the value of attribute role_titles.

• #roles ⇒ Object readonly

  Returns the value of attribute roles.

Class Method Summary

• .instance(dsl_file = nil) ⇒ Object

  Returns an instance of Engine, which is created if there isn’t one yet.

Instance Method Summary

• #description_for(role) ⇒ Object

  Returns the description for the given role.

• #initialize(reader = nil) ⇒ Engine constructor

  If reader is not given, a new one is created with the default authorization configuration of AUTH_DSL_FILE.

• #obligations(privilege, options = {}) ⇒ Object

  Returns the obligations to be met by the current user for the given privilege as an array of obligation hashes in form of [=> obligation_value, …, …] where obligation_value is either (recursively) another obligation hash or a value spec, such as [operator, literal_value] The obligation hashes in the array should be OR’ed, conditions inside the hashes AND’ed.

• #permit!(privilege, options = {}) ⇒ Object

  Returns true if privilege is met by the current user.

• #permit?(privilege, options = {}, &block) ⇒ Boolean

  Calls permit! but rescues the AuthorizationException and returns false instead.

• #roles_for(user) ⇒ Object

  Returns the role symbols of the given user.

• #title_for(role) ⇒ Object

  Returns the title for the given role.

Constructor Details

#initialize(reader = nil) ⇒ Engine

If reader is not given, a new one is created with the default authorization configuration of AUTH_DSL_FILE. If given, may be either a Reader object or a path to a configuration file.

# File 'lib/authorization.rb', line 57

def initialize (reader = nil)
  if reader.nil?
    begin
      reader = Reader::DSLReader.load(AUTH_DSL_FILE)
    rescue SystemCallError
      reader = Reader::DSLReader.new
    end
  elsif reader.is_a?(String)
    reader = Reader::DSLReader.load(reader)
  end
  @privileges = reader.privileges_reader.privileges
  # {priv => [[priv, ctx],...]}
  @privilege_hierarchy = reader.privileges_reader.privilege_hierarchy
  @auth_rules = reader.auth_rules_reader.auth_rules
  @roles = reader.auth_rules_reader.roles
  @role_hierarchy = reader.auth_rules_reader.role_hierarchy

  @role_titles = reader.auth_rules_reader.role_titles
  @role_descriptions = reader.auth_rules_reader.role_descriptions
  
  # {[priv, ctx] => [priv, ...]}
  @rev_priv_hierarchy = {}
  @privilege_hierarchy.each do |key, value|
    value.each do |val| 
      @rev_priv_hierarchy[val] ||= []
      @rev_priv_hierarchy[val] << key
    end
  end
end

Instance Attribute Details

#auth_rules ⇒ Object (readonly)

Returns the value of attribute auth_rules.

# File 'lib/authorization.rb', line 51

def auth_rules
  @auth_rules
end

#privilege_hierarchy ⇒ Object (readonly)

Returns the value of attribute privilege_hierarchy.

# File 'lib/authorization.rb', line 51

def privilege_hierarchy
  @privilege_hierarchy
end

#privileges ⇒ Object (readonly)

Returns the value of attribute privileges.

# File 'lib/authorization.rb', line 51

def privileges
  @privileges
end

#rev_priv_hierarchy ⇒ Object (readonly)

Returns the value of attribute rev_priv_hierarchy.

# File 'lib/authorization.rb', line 51

def rev_priv_hierarchy
  @rev_priv_hierarchy
end

#role_descriptions ⇒ Object (readonly)

Returns the value of attribute role_descriptions.

# File 'lib/authorization.rb', line 51

def role_descriptions
  @role_descriptions
end

#role_hierarchy ⇒ Object (readonly)

Returns the value of attribute role_hierarchy.

# File 'lib/authorization.rb', line 51

def role_hierarchy
  @role_hierarchy
end

#role_titles ⇒ Object (readonly)

Returns the value of attribute role_titles.

# File 'lib/authorization.rb', line 51

def role_titles
  @role_titles
end

#roles ⇒ Object (readonly)

Returns the value of attribute roles.

# File 'lib/authorization.rb', line 51

def roles
  @roles
end

Class Method Details

.instance(dsl_file = nil) ⇒ Object

Returns an instance of Engine, which is created if there isn’t one yet. If dsl_file is given, it is passed on to Engine.new and a new instance is always created.

# File 'lib/authorization.rb', line 236

def self.instance (dsl_file = nil)
  if dsl_file or ENV['RAILS_ENV'] == 'development'
    @@instance = new(dsl_file)
  else
    @@instance ||= new
  end
end

Instance Method Details

#description_for(role) ⇒ Object

Returns the description for the given role. The description may be specified with the authorization rules. Returns nil if none was given.

# File 'lib/authorization.rb', line 205

def description_for (role)
  role_descriptions[role]
end

#obligations(privilege, options = {}) ⇒ Object

Returns the obligations to be met by the current user for the given privilege as an array of obligation hashes in form of

[{:object_attribute => obligation_value, ...}, ...]

where obligation_value is either (recursively) another obligation hash or a value spec, such as

[operator, literal_value]

The obligation hashes in the array should be OR’ed, conditions inside the hashes AND’ed.

Example

{:branch => {:company => [:is, 24]}, :active => [:is, true]}

Options

:context

See permit!

:user

See permit!

# File 'lib/authorization.rb', line 192

def obligations (privilege, options = {})
  options = {:context => nil}.merge(options)
  user, roles, privileges = user_roles_privleges_from_options(privilege, options)
  attr_validator = AttributeValidator.new(self, user)
  matching_auth_rules(roles, privileges, options[:context]).collect do |rule|
    obligation = rule.attributes.collect {|attr| attr.obligation(attr_validator) }
    obligation.empty? ? [{}] : obligation
  end.flatten
end

#permit!(privilege, options = {}) ⇒ Object

Returns true if privilege is met by the current user. Raises AuthorizationError otherwise. privilege may be given with or without context. In the latter case, the :context option is required.

Options:

:context

The context part of the privilege. Defaults either to the table_name of the given :object, if given. That is, either :users for :object of type User.

Raises AuthorizationUsageError if context is missing and not to be infered.

:object

An context object to test attribute checks against.

:skip_attribute_test

Skips those attribute checks in the authorization rules. Defaults to false.

:user

The user to check the authorization for. Defaults to Authorization#current_user.

# File 'lib/authorization.rb', line 107

def permit! (privilege, options = {})
  return true if Authorization.ignore_access_control
  options = {
    :object => nil,
    :skip_attribute_test => false,
    :context => nil
  }.merge(options)
  
  # Make sure we're handling all privileges as symbols.
  privilege = privilege.is_a?( Array ) ?
              privilege.flatten.collect { |priv| priv.to_sym } :
              privilege.to_sym
  
  #
  # If the object responds to :proxy_reflection, we're probably working with
  # an association proxy.  Use 'new' to leverage ActiveRecord's builder
  # functionality to obtain an object against which we can check permissions.
  #
  # Example: permit!( :edit, :object => user.posts )
  #
  if options[:object].respond_to?( :proxy_reflection )
    options[:object] = options[:object].new
  end
  
  options[:context] ||= options[:object] && options[:object].class.table_name.to_sym rescue NoMethodError
  
  user, roles, privileges = user_roles_privleges_from_options(privilege, options)

  # find a authorization rule that matches for at least one of the roles and 
  # at least one of the given privileges
  attr_validator = AttributeValidator.new(self, user, options[:object])
  rules = matching_auth_rules(roles, privileges, options[:context])
  if rules.empty?
    raise NotAuthorized, "No matching rules found for #{privilege} for #{user.inspect} " +
      "(roles #{roles.inspect}, privileges #{privileges.inspect}, " +
      "context #{options[:context].inspect})."
  end
  
  # Test each rule in turn to see whether any one of them is satisfied.
  grant_permission = rules.any? do |rule|
    begin
      options[:skip_attribute_test] or
        rule.attributes.empty? or
        rule.attributes.any? do |attr|
          begin
            attr.validate?( attr_validator )
          rescue NilAttributeValueError => e
            nil # Bumping up against a nil attribute value flunks the rule.
          end
        end
    end
  end
  unless grant_permission
    raise AttributeAuthorizationError, "#{privilege} not allowed for #{user.inspect} on #{options[:object].inspect}."
  end
  true
end

#permit?(privilege, options = {}, &block) ⇒ Boolean

Calls permit! but rescues the AuthorizationException and returns false instead. If no exception is raised, permit? returns true and yields to the optional block.

Returns:

• (Boolean)

# File 'lib/authorization.rb', line 168

def permit? (privilege, options = {}, &block) # :yields:
  permit!(privilege, options)
  yield if block_given?
  true
rescue NotAuthorized
  false
end

#roles_for(user) ⇒ Object

Returns the role symbols of the given user.

Raises:

• (AuthorizationUsageError)

# File 'lib/authorization.rb', line 217

def roles_for (user)
  raise AuthorizationUsageError, "User object doesn't respond to roles" \
    if !user.respond_to?(:role_symbols) and !user.respond_to?(:roles)

  RAILS_DEFAULT_LOGGER.info("The use of user.roles is deprecated.  Please add a method " +
      "role_symbols to your User model.") if defined?(RAILS_DEFAULT_LOGGER) and !user.respond_to?(:role_symbols)

  roles = user.respond_to?(:role_symbols) ? user.role_symbols : user.roles

  raise AuthorizationUsageError, "User.#{user.respond_to?(:role_symbols) ? 'role_symbols' : 'roles'} " +
    "doesn't return an Array of Symbols (#{roles.inspect})" \
        if !roles.is_a?(Array) or (!roles.empty? and !roles[0].is_a?(Symbol))

  (roles.empty? ? [:guest] : roles)
end

#title_for(role) ⇒ Object

Returns the title for the given role. The title may be specified with the authorization rules. Returns nil if none was given.

# File 'lib/authorization.rb', line 212

def title_for (role)
  role_titles[role]
end