caber 0.2.0 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +60 -6
- data/app/models/concerns/caber/object.rb +7 -0
- data/lib/caber/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3e3022bcc88c31576a8e8f204063bb1cb3a3a2365cee60f5d5d8769779821719
|
|
4
|
+
data.tar.gz: 9509f57e488c365e11cba921957db94d0f518e476f5457f56c8f12a39c160f54
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6c3fb313ae9125c1bf96a857be7abc2b8c2dead1aa4a8e1c9347d08c3e3b2dbe634e6919dac1ccafb673e97002855d0b1ded604fc77d64e4da1b0055b8ba744e
|
|
7
|
+
data.tar.gz: bb2d952b4fe708bc50194f167bf11cd01fdfdaf5d02a64a50a9c2cd8d3d8f66d0980d84f1c1922f54237cf216bd958788edbbe0b447f7229381c6bf211ed9f52
|
data/README.md
CHANGED
|
@@ -1,6 +1,11 @@
|
|
|
1
1
|
# Caber
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
A simple [ReBAC](https://en.wikipedia.org/wiki/Relationship-based_access_control) / [Zanzibar](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/) backend plugin for Rails apps. Allows you to easily specify permission relationships between pairs of objects, e.g. granting edit permission on a document to a specific user, like in Google Docs.
|
|
4
9
|
|
|
5
10
|
## Installation
|
|
6
11
|
|
|
@@ -114,6 +119,57 @@ document.revoke_permission("viewer", user)
|
|
|
114
119
|
document.revoke_all_permissions(user)
|
|
115
120
|
```
|
|
116
121
|
|
|
122
|
+
### Finding objects
|
|
123
|
+
|
|
124
|
+
You can get lists of objects that a user has some permission on:
|
|
125
|
+
|
|
126
|
+
```
|
|
127
|
+
Document.granted_to "viewer", user
|
|
128
|
+
# => All the documents that user has "viewer" permission on
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
## Usage with other gems
|
|
132
|
+
|
|
133
|
+
### Pundit
|
|
134
|
+
|
|
135
|
+
Caber makes for nice clear [Pundit](https://github.com/varvet/pundit) policies:
|
|
136
|
+
|
|
137
|
+
```
|
|
138
|
+
class DocumentPolicy < ApplicationPolicy
|
|
139
|
+
class Scope < ApplicationPolicy::Scope
|
|
140
|
+
def resolve
|
|
141
|
+
scope.granted_to(["viewer", "editor", "owner"], user)
|
|
142
|
+
end
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
def update?
|
|
146
|
+
record.grants_permission_to? ["editor", "owner"], user
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
```
|
|
150
|
+
|
|
151
|
+
### Rolify
|
|
152
|
+
|
|
153
|
+
Caber doesn't include groups specifically, but you can integrate it easily with a role management gem like [Rolify](https://github.com/RolifyCommunity/rolify) pretty easily. Make your Role class a subject, and you can grant permissions to roles:
|
|
154
|
+
|
|
155
|
+
```
|
|
156
|
+
class Document < ApplicationRecord
|
|
157
|
+
include Caber::Object
|
|
158
|
+
can_grant_permissions_to Role
|
|
159
|
+
end
|
|
160
|
+
|
|
161
|
+
class Role < ApplicationRecord
|
|
162
|
+
include Caber::Subject
|
|
163
|
+
can_have_permissions_on Document
|
|
164
|
+
|
|
165
|
+
scopify
|
|
166
|
+
end
|
|
167
|
+
|
|
168
|
+
document.grant_permission_to "editor", Role.find_by(name: "editor")
|
|
169
|
+
|
|
170
|
+
User.with_role(document.permitted_roles.with_permission("editor"))
|
|
171
|
+
# => all users with a role that can edit the document
|
|
172
|
+
```
|
|
117
173
|
|
|
118
174
|
## Development
|
|
119
175
|
|
|
@@ -123,11 +179,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
|
|
|
123
179
|
|
|
124
180
|
## Contributing
|
|
125
181
|
|
|
126
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/manyfold3d/caber. This project is intended to be a safe, welcoming space for collaboration, and
|
|
127
|
-
|
|
128
|
-
## Code of Conduct
|
|
129
|
-
|
|
130
|
-
Everyone interacting in the Caber project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/manyfold3d/caber/blob/master/CODE_OF_CONDUCT.md).
|
|
182
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/manyfold3d/caber. This project is intended to be a safe, welcoming space for collaboration; everyone interacting in the Caber project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/manyfold3d/caber/blob/master/CODE_OF_CONDUCT.md).
|
|
131
183
|
|
|
132
184
|
## Acknowledgements
|
|
133
185
|
|
|
@@ -135,3 +187,5 @@ This gem was created as part of [Manyfold](https://manyfold.app), with funding f
|
|
|
135
187
|
|
|
136
188
|
[<img src="https://nlnet.nl/logo/banner.png" alt="NLnet foundation logo" width="20%" />](https://nlnet.nl)
|
|
137
189
|
[<img src="https://nlnet.nl/image/logos/NGI0_tag.svg" alt="NGI Zero Logo" width="20%" />](https://nlnet.nl/entrust)
|
|
190
|
+
|
|
191
|
+
Name: `"ReBAC".downcase.reverse`
|
|
@@ -8,6 +8,13 @@ module Caber::Object
|
|
|
8
8
|
def self.can_grant_permissions_to(model)
|
|
9
9
|
has_many :"permitted_#{model.name.pluralize.parameterize}", through: :caber_relations, source: :subject, source_type: model.name
|
|
10
10
|
end
|
|
11
|
+
|
|
12
|
+
scope :granted_to, ->(permission, subject) {
|
|
13
|
+
includes(:caber_relations).where(
|
|
14
|
+
"caber_relations.subject": subject,
|
|
15
|
+
"caber_relations.permission": permission
|
|
16
|
+
)
|
|
17
|
+
}
|
|
11
18
|
end
|
|
12
19
|
|
|
13
20
|
def grant_permission_to(permission, subject)
|
data/lib/caber/version.rb
CHANGED