caber 0.1.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +82 -4
- data/app/models/concerns/caber/object.rb +22 -0
- data/app/models/concerns/caber/subject.rb +6 -0
- data/lib/caber/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 71093a528267100a6e810a9906de6dc3bde29357d54f9b4557926c0d9ce5852b
|
|
4
|
+
data.tar.gz: cdcfda7d716bc8e5f9fd307d803ce8eba968477e724a872e03f8e088c02da0a5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 47d31508f48f5390523980e2507e6654412f4eca34e5af152cbb704fb4b7b72a35020189edf1afe41e04db3f88cd080f69f815a0546578e1719734c88a147b06
|
|
7
|
+
data.tar.gz: 2b48730f693d2ca3425ae70d2df0f950dfaa6dc24a353cbcba06bd08696772ed3cf3c668b2cce7c28e2b99d536ef87ac79ba76adb342fc03e4d6bccd164f4f73
|
data/README.md
CHANGED
|
@@ -37,13 +37,21 @@ end
|
|
|
37
37
|
Now you're ready to grant some permissions! To give someone permission on something:
|
|
38
38
|
|
|
39
39
|
```
|
|
40
|
-
document.grant_permission_to
|
|
40
|
+
document.grant_permission_to "viewer", user
|
|
41
41
|
```
|
|
42
42
|
|
|
43
43
|
You can query permissions in both directions:
|
|
44
44
|
```
|
|
45
|
-
document.grants_permission_to?
|
|
46
|
-
user.
|
|
45
|
+
document.grants_permission_to? "viewer", user
|
|
46
|
+
user.has_permission_on? "viewer", document
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
You can also check more than one permission at once by passing an array.
|
|
50
|
+
The check will be positive if *either* are granted:
|
|
51
|
+
|
|
52
|
+
```
|
|
53
|
+
document.grants_permission_to? ["viewer", "editor"], user
|
|
54
|
+
user.has_permission_on? ["viewer", "editor"], document
|
|
47
55
|
```
|
|
48
56
|
|
|
49
57
|
### Global permissions
|
|
@@ -51,7 +59,68 @@ user.has_permission_to? :view, document
|
|
|
51
59
|
To grant or query permissions globally (for instance, for a public view permission), you can use a `nil` subject:
|
|
52
60
|
|
|
53
61
|
```
|
|
54
|
-
document.grant_permission_to
|
|
62
|
+
document.grant_permission_to "viewer", nil
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
### Relationships
|
|
66
|
+
|
|
67
|
+
In order to query lists of available objects, subjects need to be told what types they can be granted permission on. For each type, after including `Caber::Subject`, call `can_have_permissions_on` with the ActiveRecord class you want to be able to get lists of. `permitted_*` relationships are then automatically added for that type:
|
|
68
|
+
|
|
69
|
+
```
|
|
70
|
+
class User < ApplicationRecord
|
|
71
|
+
include Caber::Subject
|
|
72
|
+
can_have_permissions_on Document
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
user.permitted_documents
|
|
76
|
+
# => all documents with any granted permission
|
|
77
|
+
|
|
78
|
+
user.permitted_documents.with_permission "viewer"
|
|
79
|
+
# => all documents that the user has viewer permission on
|
|
80
|
+
|
|
81
|
+
user.permitted_documents.with_permission ["viewer", "editor"]
|
|
82
|
+
# => all documents that the user has viewer or editor permission on
|
|
83
|
+
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
The inverse relationship is also possible by specifying `can_grant_permissions_to` on objects:
|
|
87
|
+
|
|
88
|
+
```
|
|
89
|
+
class Document < ApplicationRecord
|
|
90
|
+
include Caber::Object
|
|
91
|
+
can_grant_permissions_to User
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
document.permitted_users
|
|
95
|
+
# => all users with any permission
|
|
96
|
+
|
|
97
|
+
document.permitted_users.with_permission "viewer"
|
|
98
|
+
# => all users with viewer permission
|
|
99
|
+
|
|
100
|
+
document.permitted_users.with_permission ["viewer", "editor"]
|
|
101
|
+
# => all users with viewer or editor permission
|
|
102
|
+
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
### Revoking permissions
|
|
106
|
+
|
|
107
|
+
You can revoke some or all permissions from a user:
|
|
108
|
+
|
|
109
|
+
```
|
|
110
|
+
# Remove a specific permission
|
|
111
|
+
document.revoke_permission("viewer", user)
|
|
112
|
+
|
|
113
|
+
# Remove all permissions from a user
|
|
114
|
+
document.revoke_all_permissions(user)
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
### Finding objects
|
|
118
|
+
|
|
119
|
+
You can get lists of objects that a user has some permission on:
|
|
120
|
+
|
|
121
|
+
```
|
|
122
|
+
Document.granted_to "viewer", user
|
|
123
|
+
# => All the documents that user has "viewer" permission on
|
|
55
124
|
```
|
|
56
125
|
|
|
57
126
|
## Development
|
|
@@ -67,3 +136,12 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/manyfo
|
|
|
67
136
|
## Code of Conduct
|
|
68
137
|
|
|
69
138
|
Everyone interacting in the Caber project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/manyfold3d/caber/blob/master/CODE_OF_CONDUCT.md).
|
|
139
|
+
|
|
140
|
+
## Acknowledgements
|
|
141
|
+
|
|
142
|
+
This gem was created as part of [Manyfold](https://manyfold.app), with funding from [NGI0 Entrust](https://nlnet.nl/entrust), a fund established by [NLnet](https://nlnet.nl) with financial support from the European Commission's [Next Generation Internet](https://ngi.eu) program.
|
|
143
|
+
|
|
144
|
+
[<img src="https://nlnet.nl/logo/banner.png" alt="NLnet foundation logo" width="20%" />](https://nlnet.nl)
|
|
145
|
+
[<img src="https://nlnet.nl/image/logos/NGI0_tag.svg" alt="NGI Zero Logo" width="20%" />](https://nlnet.nl/entrust)
|
|
146
|
+
|
|
147
|
+
Name: `"ReBAC".downcase.reverse`
|
|
@@ -2,6 +2,20 @@ module Caber::Object
|
|
|
2
2
|
extend ActiveSupport::Concern
|
|
3
3
|
|
|
4
4
|
included do
|
|
5
|
+
has_many :caber_relations, as: :object, class_name: "Caber::Relation", dependent: :destroy
|
|
6
|
+
scope :with_permission, ->(permission) { where("caber_relations.permission": permission) }
|
|
7
|
+
|
|
8
|
+
def self.can_grant_permissions_to(model)
|
|
9
|
+
has_many :"permitted_#{model.name.pluralize.parameterize}", through: :caber_relations, source: :subject, source_type: model.name
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
scope :granted_to, ->(permission, subject) {
|
|
13
|
+
includes(:caber_relations).where(
|
|
14
|
+
"caber_relations.subject_id": subject.id,
|
|
15
|
+
"caber_relations.subject_type": subject.class.name,
|
|
16
|
+
"caber_relations.permission": permission
|
|
17
|
+
)
|
|
18
|
+
}
|
|
5
19
|
end
|
|
6
20
|
|
|
7
21
|
def grant_permission_to(permission, subject)
|
|
@@ -11,4 +25,12 @@ module Caber::Object
|
|
|
11
25
|
def grants_permission_to?(permission, subject)
|
|
12
26
|
Caber::Relation.where(object: self, subject: [subject, nil], permission: permission).present?
|
|
13
27
|
end
|
|
28
|
+
|
|
29
|
+
def revoke_permission(permission, subject)
|
|
30
|
+
Caber::Relation.where(object: self, subject: subject, permission: permission).destroy_all
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def revoke_all_permissions(subject)
|
|
34
|
+
Caber::Relation.where(object: self, subject: subject).destroy_all
|
|
35
|
+
end
|
|
14
36
|
end
|
|
@@ -2,6 +2,12 @@ module Caber::Subject
|
|
|
2
2
|
extend ActiveSupport::Concern
|
|
3
3
|
|
|
4
4
|
included do
|
|
5
|
+
has_many :caber_relations, as: :subject, class_name: "Caber::Relation", dependent: :destroy
|
|
6
|
+
scope :with_permission, ->(permission) { where("caber_relations.permission": permission) }
|
|
7
|
+
|
|
8
|
+
def self.can_have_permissions_on(model)
|
|
9
|
+
has_many :"permitted_#{model.name.pluralize.parameterize}", through: :caber_relations, source: :object, source_type: model.name
|
|
10
|
+
end
|
|
5
11
|
end
|
|
6
12
|
|
|
7
13
|
def has_permission_on?(permission, object)
|
data/lib/caber/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: caber
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- James Smith
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-08-
|
|
11
|
+
date: 2024-08-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|