Class: SiriusApi::EventsAuthorizer

Inherits:
BaseAuthorizer show all
Defined in:
lib/sirius_api/events_authorizer.rb

Constant Summary collapse

PRIVILEGED_ROLES =
Config.umapi_privileged_roles

Instance Attribute Summary

Attributes inherited from BaseAuthorizer

#current_user

Instance Method Summary collapse

Methods inherited from BaseAuthorizer

#authorize_request!, permit, scope, scope_registry

Constructor Details

#initialize(current_user) ⇒ EventsAuthorizer

Returns a new instance of EventsAuthorizer.


37
38
39
# File 'lib/sirius_api/events_authorizer.rb', line 37

def initialize(current_user)
  super
end

Instance Method Details

#authorize_by_role(opts) ⇒ Object


41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/sirius_api/events_authorizer.rb', line 41

def authorize_by_role(opts)
  current_user_id = opts[:current_user]
  target_user_id = opts[:target_user]

  unless current_user_id
    raise SiriusApi::Errors::Authorization,
      "Access not permitted for OAuth grant Client Credentials on #{opts[:http_method].upcase} \
      #{opts[:url]}; username is required.".squeeze(' ')
  end

  # User has always acces to her personal calendar.
  return true if current_user_id == target_user_id

  # Privileged user (e.g. employee) can view all calendars.
  return true if current_user.has_any_role? PRIVILEGED_ROLES

  # Any user can view calendar of a privileged user.
  return true if User.new(target_user_id).has_any_role? PRIVILEGED_ROLES

  raise SiriusApi::Errors::Authorization,
    "Access not permitted for #{current_user} on #{opts[:http_method].upcase} #{opts[:url]}. \
    This resource requires one of IDM roles: #{PRIVILEGED_ROLES.join(', ')}, \
    or more privileged scope.".squeeze(' ')
end