casbin-ruby 1.0.3 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +242 -0
  3. data/lib/casbin-ruby.rb +11 -0
  4. data/lib/casbin-ruby/config/config.rb +115 -0
  5. data/lib/casbin-ruby/core_enforcer.rb +356 -0
  6. data/lib/casbin-ruby/effect/allow_and_deny_effector.rb +23 -0
  7. data/lib/casbin-ruby/effect/allow_override_effector.rb +23 -0
  8. data/lib/casbin-ruby/effect/default_effector.rb +37 -0
  9. data/lib/casbin-ruby/effect/deny_override_effector.rb +23 -0
  10. data/lib/casbin-ruby/effect/effector.rb +18 -0
  11. data/lib/casbin-ruby/effect/priority_effector.rb +25 -0
  12. data/lib/casbin-ruby/enforcer.rb +189 -0
  13. data/lib/casbin-ruby/internal_enforcer.rb +73 -0
  14. data/lib/casbin-ruby/management_enforcer.rb +297 -0
  15. data/lib/casbin-ruby/model/assertion.rb +33 -0
  16. data/lib/casbin-ruby/model/function_map.rb +30 -0
  17. data/lib/casbin-ruby/model/model.rb +80 -0
  18. data/lib/casbin-ruby/model/policy.rb +161 -0
  19. data/lib/casbin-ruby/persist/adapter.rb +39 -0
  20. data/lib/casbin-ruby/persist/adapters/file_adapter.rb +53 -0
  21. data/lib/casbin-ruby/persist/batch_adapter.rb +16 -0
  22. data/lib/casbin-ruby/persist/filtered_adapter.rb +17 -0
  23. data/lib/casbin-ruby/rbac/default_role_manager/role.rb +54 -0
  24. data/lib/casbin-ruby/rbac/default_role_manager/role_manager.rb +146 -0
  25. data/lib/casbin-ruby/rbac/role_manager.rb +22 -0
  26. data/lib/casbin-ruby/synced_enforcer.rb +39 -0
  27. data/lib/casbin-ruby/util.rb +80 -0
  28. data/lib/casbin-ruby/util/builtin_operators.rb +105 -0
  29. data/lib/casbin-ruby/util/evaluator.rb +27 -0
  30. data/lib/casbin-ruby/util/thread_lock.rb +19 -0
  31. data/lib/casbin-ruby/version.rb +5 -0
  32. data/spec/casbin/config/config_spec.rb +66 -0
  33. data/spec/casbin/core_enforcer_spec.rb +473 -0
  34. data/spec/casbin/enforcer_spec.rb +302 -0
  35. data/spec/casbin/model/function_map_spec.rb +28 -0
  36. data/spec/casbin/rbac/default_role_manager/role_manager_spec.rb +131 -0
  37. data/spec/casbin/rbac/default_role_manager/role_spec.rb +84 -0
  38. data/spec/casbin/util/builtin_operators_spec.rb +205 -0
  39. data/spec/casbin/util_spec.rb +98 -0
  40. data/spec/support/model_helper.rb +9 -0
  41. metadata +51 -3
@@ -0,0 +1,23 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'casbin-ruby/effect/effector'
4
+
5
+ module Casbin
6
+ module Effect
7
+ class AllowAndDenyEffector < Effect::Effector
8
+ # returns a intermediate effect based on the matched effects of the enforcer
9
+ def intermediate_effect(effects)
10
+ return DENY if effects.include?(DENY)
11
+
12
+ INDETERMINATE
13
+ end
14
+
15
+ # returns the final effect based on the matched effects of the enforcer
16
+ def final_effect(effects)
17
+ return DENY if effects.include?(DENY) || !effects.include?(ALLOW)
18
+
19
+ ALLOW
20
+ end
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,23 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'casbin-ruby/effect/effector'
4
+
5
+ module Casbin
6
+ module Effect
7
+ class AllowOverrideEffector < Effect::Effector
8
+ # returns a intermediate effect based on the matched effects of the enforcer
9
+ def intermediate_effect(effects)
10
+ return ALLOW if effects.include?(ALLOW)
11
+
12
+ INDETERMINATE
13
+ end
14
+
15
+ # returns the final effect based on the matched effects of the enforcer
16
+ def final_effect(effects)
17
+ return ALLOW if effects.include?(ALLOW)
18
+
19
+ DENY
20
+ end
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,37 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'casbin-ruby/effect/effector'
4
+ require 'casbin-ruby/effect/allow_override_effector'
5
+ require 'casbin-ruby/effect/deny_override_effector'
6
+ require 'casbin-ruby/effect/allow_and_deny_effector'
7
+ require 'casbin-ruby/effect/priority_effector'
8
+
9
+ module Casbin
10
+ module Effect
11
+ # default effector for Casbin.
12
+ class DefaultEffector < Effect::Effector
13
+ # creates an effector based on the current policy effect expression
14
+ def self.get_effector(expr)
15
+ case expr
16
+ when 'some(where (p_eft == allow))'
17
+ Effect::AllowOverrideEffector.new
18
+ when '!some(where (p_eft == deny))'
19
+ Effect::DenyOverrideEffector.new
20
+ when 'some(where (p_eft == allow)) && !some(where (p_eft == deny))'
21
+ Effect::AllowAndDenyEffector.new
22
+ when 'priority(p_eft) || deny'
23
+ Effect::PriorityEffector.new
24
+ else
25
+ raise 'unsupported effect'
26
+ end
27
+ end
28
+
29
+ def self.effect_to_bool(effect)
30
+ return true if effect == ALLOW
31
+ return false if effect == DENY
32
+
33
+ raise "effect can't be converted to boolean"
34
+ end
35
+ end
36
+ end
37
+ end
@@ -0,0 +1,23 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'casbin-ruby/effect/effector'
4
+
5
+ module Casbin
6
+ module Effect
7
+ class DenyOverrideEffector < Effect::Effector
8
+ # returns a intermediate effect based on the matched effects of the enforcer
9
+ def intermediate_effect(effects)
10
+ return DENY if effects.include?(DENY)
11
+
12
+ INDETERMINATE
13
+ end
14
+
15
+ # returns the final effect based on the matched effects of the enforcer
16
+ def final_effect(effects)
17
+ return DENY if effects.include?(DENY)
18
+
19
+ ALLOW
20
+ end
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,18 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Casbin
4
+ module Effect
5
+ # Effector is the interface for Casbin effectors.
6
+ class Effector
7
+ ALLOW = 0
8
+ INDETERMINATE = 1
9
+ DENY = 2
10
+
11
+ # returns a intermediate effect based on the matched effects of the enforcer
12
+ def intermediate_effect(_effects); end
13
+
14
+ # returns the final effect based on the matched effects of the enforcer
15
+ def final_effect(_effects); end
16
+ end
17
+ end
18
+ end
@@ -0,0 +1,25 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'casbin-ruby/effect/effector'
4
+
5
+ module Casbin
6
+ module Effect
7
+ class PriorityEffector < Effect::Effector
8
+ # returns a intermediate effect based on the matched effects of the enforcer
9
+ def intermediate_effect(effects)
10
+ return ALLOW if effects.include?(ALLOW)
11
+ return DENY if effects.include?(DENY)
12
+
13
+ INDETERMINATE
14
+ end
15
+
16
+ # returns the final effect based on the matched effects of the enforcer
17
+ def final_effect(effects)
18
+ return ALLOW if effects.include?(ALLOW)
19
+ return DENY if effects.include?(DENY)
20
+
21
+ DENY
22
+ end
23
+ end
24
+ end
25
+ end
@@ -0,0 +1,189 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'casbin-ruby/management_enforcer'
4
+ require 'casbin-ruby/util'
5
+
6
+ module Casbin
7
+ # Enforcer = ManagementEnforcer + RBAC_API + RBAC_WITH_DOMAIN_API
8
+ #
9
+ # creates an enforcer via file or DB.
10
+ # File:
11
+ # e = casbin.Enforcer("path/to/basic_model.conf", "path/to/basic_policy.csv")
12
+ # MySQL DB:
13
+ # a = mysqladapter.DBAdapter("mysql", "mysql_username:mysql_password@tcp(127.0.0.1:3306)/")
14
+ # e = casbin.Enforcer("path/to/basic_model.conf", a)
15
+ class Enforcer < ManagementEnforcer
16
+ # gets the roles that a user has.
17
+ def get_roles_for_user(name)
18
+ model.model['g']['g'].rm.get_roles(name)
19
+ end
20
+
21
+ # gets the users that has a role.
22
+ def get_users_for_role(name)
23
+ model.model['g']['g'].rm.get_users(name)
24
+ end
25
+
26
+ # determines whether a user has a role.
27
+ def has_role_for_user(name, role)
28
+ roles = get_roles_for_user(name)
29
+ roles.include?(role)
30
+ end
31
+
32
+ # adds a role for a user.
33
+ # Returns false if the user already has the role (aka not affected).
34
+ def add_role_for_user(user, role)
35
+ add_grouping_policy(user, role)
36
+ end
37
+
38
+ # deletes a role for a user.
39
+ # Returns false if the user does not have the role (aka not affected).
40
+ def delete_role_for_user(user, role)
41
+ remove_grouping_policy(user, role)
42
+ end
43
+
44
+ # deletes all roles for a user.
45
+ # Returns false if the user does not have any roles (aka not affected).
46
+ def delete_roles_for_user(user)
47
+ remove_filtered_grouping_policy(0, user)
48
+ end
49
+
50
+ # deletes a user.
51
+ # Returns false if the user does not exist (aka not affected).
52
+ def delete_user(user)
53
+ res1 = remove_filtered_grouping_policy(0, user)
54
+ res2 = remove_filtered_policy(0, user)
55
+ res1 || res2
56
+ end
57
+
58
+ # deletes a role.
59
+ # Returns false if the role does not exist (aka not affected).
60
+ def delete_role(role)
61
+ res1 = remove_filtered_grouping_policy(1, role)
62
+ res2 = remove_filtered_policy(0, role)
63
+ res1 || res2
64
+ end
65
+
66
+ # deletes a permission.
67
+ # Returns false if the permission does not exist (aka not affected).
68
+ def delete_permission(*permission)
69
+ remove_filtered_policy(1, *permission)
70
+ end
71
+
72
+ # adds a permission for a user or role.
73
+ # Returns false if the user or role already has the permission (aka not affected).
74
+ def add_permission_for_user(user, *permission)
75
+ add_policy(Util.join_slice(user, *permission))
76
+ end
77
+
78
+ # deletes a permission for a user or role.
79
+ # Returns false if the user or role does not have the permission (aka not affected).
80
+ def delete_permission_for_user(user, *permission)
81
+ remove_policy(Util.join_slice(user, *permission))
82
+ end
83
+
84
+ # deletes permissions for a user or role.
85
+ # Returns false if the user or role does not have any permissions (aka not affected).
86
+ def delete_permissions_for_user(user)
87
+ remove_filtered_policy(0, user)
88
+ end
89
+
90
+ # gets permissions for a user or role.
91
+ def get_permissions_for_user(user)
92
+ get_filtered_policy(0, user)
93
+ end
94
+
95
+ # determines whether a user has a permission.
96
+ def has_permission_for_user(user, *permission)
97
+ has_policy(Util.join_slice(user, *permission))
98
+ end
99
+
100
+ # gets implicit roles that a user has.
101
+ # Compared to get_roles_for_user(), this function retrieves indirect roles besides direct roles.
102
+ # For example:
103
+ # g, alice, role:admin
104
+ # g, role:admin, role:user
105
+ # get_roles_for_user("alice") can only get: ["role:admin"].
106
+ # But get_implicit_roles_for_user("alice") will get: ["role:admin", "role:user"].
107
+ def get_implicit_roles_for_user(name, domain = nil)
108
+ res = []
109
+ queue = [name]
110
+ while queue.size.positive?
111
+ name = queue.delete_at(0)
112
+ rm_map.each_value do |rm|
113
+ rm.get_roles(name, domain).each do |r|
114
+ res << r
115
+ queue << r
116
+ end
117
+ end
118
+ end
119
+
120
+ res
121
+ end
122
+
123
+ # gets implicit permissions for a user or role.
124
+ # Compared to get_permissions_for_user(), this function retrieves permissions for inherited roles.
125
+ # For example:
126
+ # p, admin, data1, read
127
+ # p, alice, data2, read
128
+ # g, alice, admin
129
+ # get_permissions_for_user("alice") can only get: [["alice", "data2", "read"]].
130
+ # But get_implicit_permissions_for_user("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].
131
+ def get_implicit_permissions_for_user(user, domain = nil)
132
+ roles = get_implicit_roles_for_user(user, domain)
133
+ roles.insert(0, user)
134
+ res = []
135
+ roles.each do |role|
136
+ permissions = if domain
137
+ get_permissions_for_user_in_domain(role, domain)
138
+ else
139
+ get_permissions_for_user(role)
140
+ end
141
+
142
+ res.concat(permissions)
143
+ end
144
+
145
+ res
146
+ end
147
+
148
+ # gets implicit users for a permission.
149
+ # For example:
150
+ # p, admin, data1, read
151
+ # p, bob, data1, read
152
+ # g, alice, admin
153
+ # get_implicit_users_for_permission("data1", "read") will get: ["alice", "bob"].
154
+ # Note: only users will be returned, roles (2nd arg in "g") will be excluded.
155
+ def get_implicit_users_for_permission(*permission)
156
+ subjects = get_all_subjects
157
+ roles = get_all_roles
158
+ users = Util.set_subtract(subjects, roles)
159
+ users.find_all { |user| enforce(*Util.join_slice(user, *permission)) }
160
+ end
161
+
162
+ # gets the roles that a user has inside a domain.
163
+ def get_roles_for_user_in_domain(name, domain)
164
+ model.model['g']['g'].rm.get_roles(name, domain)
165
+ end
166
+
167
+ # gets the users that has a role inside a domain.
168
+ def get_users_for_role_in_domain(name, domain)
169
+ model.model['g']['g'].rm.get_users(name, domain)
170
+ end
171
+
172
+ # adds a role for a user inside a domain.
173
+ # Returns false if the user already has the role (aka not affected).
174
+ def add_role_for_user_in_domain(user, role, domain)
175
+ add_grouping_policy(user, role, domain)
176
+ end
177
+
178
+ # deletes a role for a user inside a domain.
179
+ # Returns false if the user does not have any roles (aka not affected).
180
+ def delete_roles_for_user_in_domain(user, role, domain)
181
+ remove_filtered_grouping_policy(0, user, role, domain)
182
+ end
183
+
184
+ # gets permissions for a user or role inside domain.
185
+ def get_permissions_for_user_in_domain(user, domain)
186
+ get_filtered_policy(0, user, domain)
187
+ end
188
+ end
189
+ end
@@ -0,0 +1,73 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'casbin-ruby/core_enforcer'
4
+
5
+ module Casbin
6
+ # InternalEnforcer = CoreEnforcer + Internal API.
7
+ class InternalEnforcer < CoreEnforcer
8
+ protected
9
+
10
+ # adds a rule to the current policy.
11
+ def add_policy(sec, ptype, rule)
12
+ return false unless model.add_policy(sec, ptype, rule)
13
+
14
+ make_persistent :add_policy, sec, ptype, rule
15
+ end
16
+
17
+ # adds rules to the current policy.
18
+ def add_policies(sec, ptype, rules)
19
+ return false unless model.add_policies(sec, ptype, rules)
20
+
21
+ make_persistent :add_policies, sec, ptype, rules
22
+ end
23
+
24
+ # updates a rule from the current policy.
25
+ def update_policy(sec, ptype, old_rule, new_rule)
26
+ return false unless model.update_policy(sec, ptype, old_rule, new_rule)
27
+
28
+ make_persistent :update_policy, sec, ptype, old_rule, new_rule
29
+ end
30
+
31
+ # updates rules from the current policy.
32
+ def update_policies(sec, ptype, old_rules, new_rules)
33
+ return false unless model.update_policies(sec, ptype, old_rules, new_rules)
34
+
35
+ make_persistent :update_policies, sec, ptype, old_rules, new_rules
36
+ end
37
+
38
+ # removes a rule from the current policy.
39
+ def remove_policy(sec, ptype, rule)
40
+ return false unless model.remove_policy(sec, ptype, rule)
41
+
42
+ make_persistent :remove_policy, sec, ptype, rule
43
+ end
44
+
45
+ # removes policy rules from the model.
46
+ def remove_policies(sec, ptype, rules)
47
+ return false unless model.remove_policies(sec, ptype, rules)
48
+
49
+ make_persistent :remove_policies, sec, ptype, rules
50
+ end
51
+
52
+ # removes rules based on field filters from the current policy.
53
+ def remove_filtered_policy(sec, ptype, field_index, *field_values)
54
+ return false unless model.remove_filtered_policy(sec, ptype, field_index, *field_values)
55
+
56
+ make_persistent :remove_filtered_policy, sec, ptype, field_index, *field_values
57
+ end
58
+
59
+ private
60
+
61
+ def make_persistent(meth, *args)
62
+ if adapter && auto_save
63
+ # we can add the `add_policies`, `update_policy`, `update_policies`, `remove_policies` methods
64
+ # to the base Adapter class and remove `respond_to?`
65
+ return false unless adapter.respond_to?(meth) && adapter.public_send(meth, *args)
66
+
67
+ watcher&.update
68
+ end
69
+
70
+ true
71
+ end
72
+ end
73
+ end
@@ -0,0 +1,297 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'casbin-ruby/internal_enforcer'
4
+
5
+ module Casbin
6
+ # ManagementEnforcer = InternalEnforcer + Management API.
7
+ class ManagementEnforcer < InternalEnforcer
8
+ alias parent_add_policy add_policy
9
+ alias parent_add_policies add_policies
10
+ alias parent_update_policy update_policy
11
+ alias parent_update_policies update_policies
12
+ alias parent_remove_policy remove_policy
13
+ alias parent_remove_policies remove_policies
14
+ alias parent_remove_filtered_policy remove_filtered_policy
15
+
16
+ # gets the list of subjects that show up in the current policy.
17
+ def get_all_subjects
18
+ get_all_named_subjects('p')
19
+ end
20
+
21
+ # gets the list of subjects that show up in the current named policy.
22
+ def get_all_named_subjects(ptype)
23
+ model.get_values_for_field_in_policy('p', ptype, 0)
24
+ end
25
+
26
+ # gets the list of objects that show up in the current policy.
27
+ def get_all_objects
28
+ get_all_named_objects('p')
29
+ end
30
+
31
+ # gets the list of objects that show up in the current named policy.
32
+ def get_all_named_objects(ptype)
33
+ model.get_values_for_field_in_policy('p', ptype, 1)
34
+ end
35
+
36
+ # gets the list of actions that show up in the current policy.
37
+ def get_all_actions
38
+ get_all_named_actions('p')
39
+ end
40
+
41
+ # gets the list of actions that show up in the current named policy.
42
+ def get_all_named_actions(ptype)
43
+ model.get_values_for_field_in_policy('p', ptype, 2)
44
+ end
45
+
46
+ # gets the list of roles that show up in the current named policy.
47
+ def get_all_roles
48
+ get_all_named_roles('g')
49
+ end
50
+
51
+ def get_all_named_roles(ptype)
52
+ model.get_values_for_field_in_policy('g', ptype, 1)
53
+ end
54
+
55
+ # gets all the authorization rules in the policy.
56
+ def get_policy
57
+ get_named_policy('p')
58
+ end
59
+
60
+ # gets all the authorization rules in the policy, field filters can be specified.
61
+ def get_filtered_policy(field_index, *field_values)
62
+ get_filtered_named_policy('p', field_index, *field_values)
63
+ end
64
+
65
+ # gets all the authorization rules in the named policy.
66
+ def get_named_policy(ptype)
67
+ model.get_policy('p', ptype)
68
+ end
69
+
70
+ # gets all the authorization rules in the named policy, field filters can be specified.
71
+ def get_filtered_named_policy(ptype, field_index, *field_values)
72
+ model.get_filtered_policy('p', ptype, field_index, *field_values)
73
+ end
74
+
75
+ # gets all the role inheritance rules in the policy.
76
+ def get_grouping_policy
77
+ get_named_grouping_policy('g')
78
+ end
79
+
80
+ # gets all the role inheritance rules in the policy, field filters can be specified.
81
+ def get_filtered_grouping_policy(field_index, *field_values)
82
+ get_filtered_named_grouping_policy('g', field_index, *field_values)
83
+ end
84
+
85
+ # gets all the role inheritance rules in the policy.
86
+ def get_named_grouping_policy(ptype)
87
+ model.get_policy('g', ptype)
88
+ end
89
+
90
+ # gets all the role inheritance rules in the policy, field filters can be specified.
91
+ def get_filtered_named_grouping_policy(ptype, field_index, *field_values)
92
+ model.get_filtered_policy('g', ptype, field_index, *field_values)
93
+ end
94
+
95
+ # determines whether an authorization rule exists.
96
+ def has_policy(*params)
97
+ has_named_policy('p', *params)
98
+ end
99
+
100
+ # determines whether a named authorization rule exists.
101
+ def has_named_policy(ptype, *params)
102
+ if params.size == 1 && params[0].is_a?(Array)
103
+ model.has_policy('p', ptype, params[0])
104
+ else
105
+ model.has_policy('p', ptype, [params])
106
+ end
107
+ end
108
+
109
+ # adds an authorization rule to the current policy.
110
+ #
111
+ # If the rule already exists, the function returns false and the rule will not be added.
112
+ # Otherwise the function returns true by adding the new rule.
113
+ def add_policy(*params)
114
+ add_named_policy('p', *params)
115
+ end
116
+
117
+ # adds authorization rules to the current policy.
118
+ #
119
+ # If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
120
+ # Otherwise the function returns true for the corresponding rule by adding the new rule.
121
+ def add_policies(rules)
122
+ add_named_policies('p', rules)
123
+ end
124
+
125
+ # adds an authorization rule to the current named policy.
126
+ #
127
+ # If the rule already exists, the function returns false and the rule will not be added.
128
+ # Otherwise the function returns true by adding the new rule.
129
+ def add_named_policy(ptype, *params)
130
+ if params.size == 1 && params[0].is_a?(Array)
131
+ parent_add_policy('p', ptype, params[0])
132
+ else
133
+ parent_add_policy('p', ptype, [params])
134
+ end
135
+ end
136
+
137
+ # adds authorization rules to the current named policy.
138
+ #
139
+ # If the rule already exists, the function returns false for the corresponding rule and the rule will not be added.
140
+ # Otherwise the function returns true for the corresponding by adding the new rule.
141
+ def add_named_policies(ptype, rules)
142
+ parent_add_policies('p', ptype, rules)
143
+ end
144
+
145
+ # updates an authorization rule from the current policy.
146
+ def update_policy(old_rule, new_rule)
147
+ update_named_policy('p', old_rule, new_rule)
148
+ end
149
+
150
+ # updates authorization rules from the current policy.
151
+ def update_policies(old_rules, new_rules)
152
+ update_named_policies('p', old_rules, new_rules)
153
+ end
154
+
155
+ # updates an authorization rule from the current named policy.
156
+ def update_named_policy(ptype, old_rule, new_rule)
157
+ parent_update_policy('p', ptype, old_rule, new_rule)
158
+ end
159
+
160
+ # updates authorization rules from the current named policy.
161
+ def update_named_policies(ptype, old_rules, new_rules)
162
+ parent_update_policies('p', ptype, old_rules, new_rules)
163
+ end
164
+
165
+ # removes an authorization rule from the current policy.
166
+ def remove_policy(*params)
167
+ remove_named_policy('p', *params)
168
+ end
169
+
170
+ # removes authorization rules from the current policy.
171
+ def remove_policies(rules)
172
+ remove_named_policies('p', rules)
173
+ end
174
+
175
+ # removes an authorization rule from the current policy, field filters can be specified.
176
+ def remove_filtered_policy(field_index, *field_values)
177
+ remove_filtered_named_policy('p', field_index, *field_values)
178
+ end
179
+
180
+ # removes an authorization rule from the current named policy.
181
+ def remove_named_policy(ptype, *params)
182
+ if params.size == 1 && params[0].is_a?(Array)
183
+ parent_remove_policy('p', ptype, params[0])
184
+ else
185
+ parent_remove_policy('p', ptype, [params])
186
+ end
187
+ end
188
+
189
+ # removes authorization rules from the current named policy.
190
+ def remove_named_policies(ptype, rules)
191
+ parent_remove_policies('p', ptype, rules)
192
+ end
193
+
194
+ # removes an authorization rule from the current named policy, field filters can be specified.
195
+ def remove_filtered_named_policy(ptype, field_index, *field_values)
196
+ parent_remove_filtered_policy('p', ptype, field_index, *field_values)
197
+ end
198
+
199
+ # determines whether a role inheritance rule exists.
200
+ def has_grouping_policy
201
+ has_named_grouping_policy('g', *params)
202
+ end
203
+
204
+ # determines whether a named role inheritance rule exists.
205
+ def has_named_grouping_policy(ptype, *params)
206
+ if params.size == 1 && params[0].is_a?(Array)
207
+ model.has_policy('g', ptype, params[0])
208
+ else
209
+ model.has_policy('g', ptype, [params])
210
+ end
211
+ end
212
+
213
+ # adds a role inheritance rule to the current policy.
214
+ #
215
+ # If the rule already exists, the function returns false and the rule will not be added.
216
+ # Otherwise the function returns true by adding the new rule.
217
+ def add_grouping_policy(*params)
218
+ add_named_grouping_policy('g', *params)
219
+ end
220
+
221
+ # adds role inheritance rulea to the current policy.
222
+ #
223
+ # If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be
224
+ # added.
225
+ # Otherwise the function returns true for the corresponding policy rule by adding the new rule.
226
+ def add_grouping_policies(rules)
227
+ add_named_grouping_policies('g', rules)
228
+ end
229
+
230
+ # adds a named role inheritance rule to the current policy.
231
+ #
232
+ # If the rule already exists, the function returns false and the rule will not be added.
233
+ # Otherwise the function returns true by adding the new rule.
234
+ def add_named_grouping_policy(ptype, *params)
235
+ rule_added = if params.size == 1 && params[0].is_a?(Array)
236
+ parent_add_policy('g', ptype, params[0])
237
+ else
238
+ parent_add_policy('g', ptype, [params])
239
+ end
240
+
241
+ auto_build_role_links ? build_role_links : rule_added
242
+ end
243
+
244
+ # adds named role inheritance rules to the current policy.
245
+ #
246
+ # If the rule already exists, the function returns false for the corresponding policy rule and the rule will not be
247
+ # added.
248
+ # Otherwise the function returns true for the corresponding policy rule by adding the new rule.
249
+ def add_named_grouping_policies(ptype, rules)
250
+ rules_added = parent_add_policies('g', ptype, rules)
251
+ auto_build_role_links ? build_role_links : rules_added
252
+ end
253
+
254
+ # removes a role inheritance rule from the current policy.
255
+ def remove_grouping_policy(*params)
256
+ remove_named_grouping_policy('g', *params)
257
+ end
258
+
259
+ # removes role inheritance rulea from the current policy.
260
+ def remove_grouping_policies(rules)
261
+ remove_named_grouping_policies('g', rules)
262
+ end
263
+
264
+ # removes a role inheritance rule from the current policy, field filters can be specified.
265
+ def remove_filtered_grouping_policy(field_index, *field_values)
266
+ remove_filtered_named_grouping_policy('g', field_index, *field_values)
267
+ end
268
+
269
+ # removes a role inheritance rule from the current named policy.
270
+ def remove_named_grouping_policy(ptype, *params)
271
+ rule_added = if params.size == 1 && params[0].is_a?(Array)
272
+ parent_remove_policy('g', ptype, params[0])
273
+ else
274
+ parent_remove_policy('g', ptype, [params])
275
+ end
276
+
277
+ auto_build_role_links ? build_role_links : rule_added
278
+ end
279
+
280
+ # removes role inheritance rules from the current named policy.
281
+ def remove_named_grouping_policies(ptype, rules)
282
+ rules_removed = parent_remove_policies('g', ptype, rules)
283
+ auto_build_role_links ? build_role_links : rules_removed
284
+ end
285
+
286
+ # removes a role inheritance rule from the current named policy, field filters can be specified.
287
+ def remove_filtered_named_grouping_policy(ptype, field_index, *field_values)
288
+ rule_removed = parent_remove_filtered_policy('g', ptype, field_index, *field_values)
289
+ auto_build_role_links ? build_role_links : rule_removed
290
+ end
291
+
292
+ # adds a customized function.
293
+ def add_function(name, func)
294
+ fm.add_function(name, func)
295
+ end
296
+ end
297
+ end