Module: Vigilante::Authorization

Defined in:

lib/vigilante/authorization.rb

Class Method Summary

• .included(base) ⇒ Object

Instance Method Summary

• #check_permission(options = {}) ⇒ Object

  explicitely check the Vigilante permissions in a controller method :.

• #check_permissions(options = {}) ⇒ Object

  ****************************************************************** explicitely call the Vigilante filter in each controller that requires Vigilante protection : …

• #get_current_context_from_application ⇒ Object

  ****************************************************************** to be overruled in the project returns current context where applicable.

• #get_extent_from_context(context_objects) ⇒ Object
• #get_extent_id_from_context_object(context_object) ⇒ Object
• #get_protectee ⇒ Object

  this will return the current user/operator/…

• #get_protectee_permissions ⇒ Object
• #handle_context_for_nested_resources ⇒ Object
• #is_allowed_to?(controller_name, action, context = get_current_context_from_application) ⇒ Boolean

  ******************************************************************.

• #model_name ⇒ Object

  returns the model-name for this controller converts ApplicationController : Application ApplicationsController : Application AccountsController : Account …

• #signal_permission_error ⇒ Object

  ******************************************************************.

Class Method Details

.included(base) ⇒ Object

# File 'lib/vigilante/authorization.rb', line 4

def self.included(base)
  current_user_method = VIGILANTE_CONFIG['current_user_method']

  base.helper_method :is_allowed_to?
  base.helper_method "get_#{current_user_method}_extent_of".to_sym
  base.helper_method "get_#{current_user_method}_permissions_are_global?".to_sym

  define_method "get_#{current_user_method}_extent_of" do |controller_name, action|
    get_protectee_permissions.get_extent_of(controller_name, action)
  end

  # needed? --> tells if the current_operator has only global permissions
  define_method "get_#{current_user_method}_permissions_are_global?" do
    get_protectee_permissions.are_only_global?
  end

  define_method "get_#{current_user_method}_permissions" do
    get_protectee_permissions
  end

end

Instance Method Details

#check_permission(options = {}) ⇒ Object

explicitely check the Vigilante permissions in a controller method :

def update
  check_permission
   ... do something real

end

This way it is easy to protect a single action explicitly. It is even possible to use other permissions E.g.

def update
  check_permission(:action => 'destroy') if params[:factory_default]
  ..
end

To restore to factory defaults an operator needs permission to destroy an item. You could even use the permissions for another controller

def update
  check_permission(:action => 'update', :controller => 'some_other')
  ..
end

This will check the permission for some_other#update to be allowed access.

# File 'lib/vigilante/authorization.rb', line 104

def check_permission(options={})
  controller_to_check = options[:controller] || controller_name
  action_to_check = options[:action] || action_name
  signal_permission_error unless is_allowed_to?(controller_to_check, action_to_check, get_current_context_from_application)
end

#check_permissions(options = {}) ⇒ Object

******************************************************************

explicitely call the Vigilante filter in each controller that requires Vigilante protection :
   ... (fill the necessary context)
   before_filter :check_permissions

If some controller is actually an API or shares permissions, you can do the following

before_filter :check_permissions, :as => 'posts'

and instead of the current controller, it will use the permissions for controller posts to check if an action is allowed.

# File 'lib/vigilante/authorization.rb', line 69

def check_permissions(options={})
  logger.debug "CHECK PERMISSIONS"
  # a logged in operator can do ajax-requests
  return if get_protectee.present? && request.xhr?

  controller_to_check = options[:as].nil? ? controller_name : options[:as]

  signal_permission_error unless is_allowed_to?(controller_to_check, action_name, get_current_context_from_application)
end

#get_current_context_from_application ⇒ Object

****************************************************************** to be overruled in the project returns current context where applicable

# File 'lib/vigilante/authorization.rb', line 30

def get_current_context_from_application
  application_method = VIGILANTE_CONFIG['application_context']
  self.send(application_method) if application_method.present?
end

#get_extent_from_context(context_objects) ⇒ Object

# File 'lib/vigilante/authorization.rb', line 134

def get_extent_from_context(context_objects)
  return nil if context_objects.nil?
  extent = []
  if context_objects.respond_to?(:each)
    context_objects.each do |ctx|
      extent << get_extent_id_from_context_object(ctx)
    end
  else
    extent << get_extent_id_from_context_object(context_objects)
  end
  extent
end

#get_extent_id_from_context_object(context_object) ⇒ Object

# File 'lib/vigilante/authorization.rb', line 35

def get_extent_id_from_context_object(context_object)
  application_method = VIGILANTE_CONFIG['application_extent_id_from_object']
  self.send(application_method, context_object) if application_method.present?
end

#get_protectee ⇒ Object

this will return the current user/operator/… that is guarded by vigilante

# File 'lib/vigilante/authorization.rb', line 46

def get_protectee
  current_user_method = VIGILANTE_CONFIG['current_user_method']

  Rails.logger.debug "current_user_method = #{current_user_method}"

  @protectee ||= self.send(current_user_method) if current_user_method.present?

  Rails.logger.debug "Protectee = #{@protectee.present? ? @protectee.to_s : 'NONE'}"

  @protectee
end

#get_protectee_permissions ⇒ Object

# File 'lib/vigilante/authorization.rb', line 118

def get_protectee_permissions
  @permits ||= session[:permits]
  if @permits.nil?
    Rails.logger.debug "determine permissions ... "
    @permits = if get_protectee
                 get_protectee.permits
               else
                 PermissionHash.default
               end
    session[:permits] = @permits
  elsif @permits.class.name != "PermissionHash"
    @permits = PermissionHash.new(@permits)
  end
  @permits
end

#handle_context_for_nested_resources ⇒ Object

# File 'lib/vigilante/authorization.rb', line 40

def handle_context_for_nested_resources
  application_method = VIGILANTE_CONFIG['application_context_from_nested_resources']
  self.send(application_method) if application_method.present?
end

#is_allowed_to?(controller_name, action, context = get_current_context_from_application) ⇒ Boolean

******************************************************************

Returns:

• (Boolean)

# File 'lib/vigilante/authorization.rb', line 113

def is_allowed_to?(controller_name, action, context=get_current_context_from_application)
  logger.debug "is_allowed_to? #{controller_name.to_s}##{action} [#{context.inspect}]"
  get_protectee_permissions.is_allowed_by_context(controller_name, action, get_extent_from_context(context))
end

#model_name ⇒ Object

returns the model-name for this controller converts

ApplicationController  : Application
ApplicationsController : Application
AccountsController     : Account

…

# File 'lib/vigilante/authorization.rb', line 181

def model_name
  controller_name.singularize.camelize
end

#signal_permission_error ⇒ Object

******************************************************************

Raises:

• (Vigilante::AccessDenied)

# File 'lib/vigilante/authorization.rb', line 151

def signal_permission_error
  logger.debug "ACCESS DENIED!"
  raise Vigilante::AccessDenied.new
end