module Authorization::AuthorizationInModel
Public Class Methods
Builds and returns a scope with joins and conditions satisfying all obligations.
# File lib/declarative_authorization/in_model.rb, line 65 def self.obligation_scope_for( privileges, options = {} ) options = { :user => Authorization.current_user, :context => nil, :model => self, :engine => nil, }.merge(options) engine = options[:engine] || Authorization::Engine.instance obligation_scope = ObligationScope.new( options[:model], {} ) engine.obligations( privileges, :user => options[:user], :context => options[:context] ).each do |obligation| obligation_scope.parse!( obligation ) end obligation_scope.scope end
Activates model security for the current model. Then, CRUD operations are checked against the authorization of the current user. The privileges are :create
, :read
, :update
and :delete
in the context of the model. By default, :read
is not checked because of performance impacts, especially with large result sets.
class User < ActiveRecord::Base using_access_control end
If an operation is not permitted, a Authorization::AuthorizationError
is raised.
To activate model security on all models, call using_access_control
on ActiveRecord::Base
ActiveRecord::Base.using_access_control
Available options
- :
context
-
Specify context different from the models table name.
- :
include_read
-
Also check for :
read
privilege after find.
# File lib/declarative_authorization/in_model.rb, line 150 def self.using_access_control (options = {}) options = { :context => nil, :include_read => false }.merge(options) class_eval do [:create, :update, [:destroy, :delete]].each do |action, privilege| send(:"before_#{action}") do |object| Authorization::Engine.instance.permit!(privilege || action, :object => object, :context => options[:context]) end end if options[:include_read] # after_find is only called if after_find is implemented after_find do |object| Authorization::Engine.instance.permit!(:read, :object => object, :context => options[:context]) end if Rails.version < "3" def after_find; end end end def self.using_access_control? true end end end
# File lib/declarative_authorization/in_model.rb, line 176 def self.using_access_control? true end
Named scope for limiting query results according to the authorization of the current user. If no privilege is given, :read
is assumed.
User.with_permissions_to User.with_permissions_to(:update) User.with_permissions_to(:update, :context => :users)
As in the case of other named scopes, this one may be chained:
User.with_permission_to.find(:all, :conditions...)
Options
- :
context
-
Context for the privilege to be evaluated in; defaults to the model's table name.
- :
user
-
User to be used for gathering obligations; defaults to the current user.
# File lib/declarative_authorization/in_model.rb, line 100 def self.with_permissions_to (*args) if Rails.version < "3.1" scopes[:with_permissions_to].call(self, *args) else options = args.last.is_a?(Hash) ? args.pop : {} privilege = (args[0] || :read).to_sym privileges = [privilege] parent_scope = scoped context = if options[:context] options[:context] elsif parent_scope.klass.respond_to?(:decl_auth_context) parent_scope.klass.decl_auth_context else parent_scope.klass.name.tableize.to_sym end user = options[:user] || Authorization.current_user engine = options[:engine] || Authorization::Engine.instance engine.permit!(privileges, :user => user, :skip_attribute_test => true, :context => context) obligation_scope_for( privileges, :user => user, :context => context, :engine => engine, :model => parent_scope.klass) end end
Public Instance Methods
# File lib/declarative_authorization/in_model.rb, line 172 def after_find; end
Works similar to the permitted_to? method, but doesn't accept a block and throws the authorization exceptions, just like Engine#permit!
# File lib/declarative_authorization/in_model.rb, line 24 def permitted_to! (privilege, options = {} ) options = { :user => Authorization.current_user, :object => self }.merge(options) Authorization::Engine.instance.permit!(privilege, {:user => options[:user], :object => options[:object]}) end
If the user meets the given privilege, permitted_to? returns true and yields to the optional block.
# File lib/declarative_authorization/in_model.rb, line 11 def permitted_to? (privilege, options = {}, &block) options = { :user => Authorization.current_user, :object => self }.merge(options) Authorization::Engine.instance.permit?(privilege, {:user => options[:user], :object => options[:object]}, &block) end