rabarber 2.0.0 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -1
- data/README.md +17 -7
- data/lib/rabarber/controllers/concerns/authorization.rb +4 -0
- data/lib/rabarber/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2cf7603eb6340263f349ffd661101f6428d210982b2a4dfb0d121f19814db3b7
|
|
4
|
+
data.tar.gz: e31584352b9ea5565bfbc4e9a9f53084c6b9123643eb6919557ef52b9dfb3efb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 757631f95940e95d1640d16101b1fafe049808178ade0d0d97aac3163d0c31c581043bbeeab5b94da9ba4ed28e9edf890aba9adc845e80e9ab1b39ae22c6d66b
|
|
7
|
+
data.tar.gz: 0eb8500deced87bea565d146de0dcd236ffeacac86e025bd6c5cd484fad94cb8594158575c88e31c69fec1f9d0a83f5328029ee261a343603505f847cad5e989
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## v2.1.0
|
|
2
|
+
|
|
3
|
+
### Features:
|
|
4
|
+
|
|
5
|
+
- Added `Rabarber::Authorization.skip_authorization` method to skip authorization checks
|
|
6
|
+
|
|
1
7
|
## v2.0.0
|
|
2
8
|
|
|
3
9
|
### Breaking:
|
|
@@ -14,7 +20,7 @@ To upgrade to v2.0.0, please refer to the [migration guide](https://github.com/e
|
|
|
14
20
|
|
|
15
21
|
### Bugs:
|
|
16
22
|
|
|
17
|
-
- Fixed the issue where an error would occur if the user was not authenticated
|
|
23
|
+
- Fixed the issue where an error would occur when using view helpers if the user was not authenticated
|
|
18
24
|
|
|
19
25
|
### Misc:
|
|
20
26
|
|
data/README.md
CHANGED
|
@@ -40,6 +40,7 @@ This means that `admin` users can access everything in `TicketsController`, whil
|
|
|
40
40
|
- [Authorization Rules](#authorization-rules)
|
|
41
41
|
- [Dynamic Authorization Rules](#dynamic-authorization-rules)
|
|
42
42
|
- [When Unauthorized](#when-unauthorized)
|
|
43
|
+
- [Skip Authorization](#skip-authorization)
|
|
43
44
|
- [View Helpers](#view-helpers)
|
|
44
45
|
- [Audit Trail](#audit-trail)
|
|
45
46
|
|
|
@@ -246,8 +247,6 @@ end
|
|
|
246
247
|
```
|
|
247
248
|
This grants access to `index` action for users with `accountant` or `admin` role, and access to `destroy` action for `admin` users only.
|
|
248
249
|
|
|
249
|
-
Please note that Rabarber does not provide any built-in data scoping mechanism as it is not a part of the authorization layer and is not necessarily role specific or has anything to do with the current user. The business logic can vary drastically depending on the application, so you're encouraged to limit the data visibility yourself, for example, in the same way as in the example above, where `accountant` role can only see paid invoices.
|
|
250
|
-
|
|
251
250
|
You can also define controller-wide rules (without `action` argument):
|
|
252
251
|
|
|
253
252
|
```rb
|
|
@@ -289,11 +288,9 @@ class InvoicesController < ApplicationController
|
|
|
289
288
|
end
|
|
290
289
|
```
|
|
291
290
|
|
|
292
|
-
This allows everyone to access `OrdersController` and its children and also `index` action in `InvoicesController`.
|
|
293
|
-
|
|
294
|
-
If the user is not authenticated (the method responsible for returning the currently authenticated user in your application returns `nil`), Rabarber will handle this situation as if the user has no roles.
|
|
291
|
+
This allows everyone to access `OrdersController` and its children and also `index` action in `InvoicesController`.
|
|
295
292
|
|
|
296
|
-
If you've set `must_have_roles` setting to `true`, then only the users with at least one role can gain access. This setting can be useful if your requirements are such that users without roles
|
|
293
|
+
If you've set `must_have_roles` setting to `true`, then only the users with at least one role can gain access. This setting can be useful if your requirements are such that users without roles are not allowed to access anything.
|
|
297
294
|
|
|
298
295
|
Also keep in mind that rules defined in child classes don't override parent rules but rather add to them:
|
|
299
296
|
```rb
|
|
@@ -349,7 +346,7 @@ class Crm::InvoicesController < ApplicationController
|
|
|
349
346
|
end
|
|
350
347
|
end
|
|
351
348
|
```
|
|
352
|
-
You can pass a dynamic rule as `if` or `unless` argument. It can be a symbol, in which case the method with that name will be called
|
|
349
|
+
You can pass a dynamic rule as `if` or `unless` argument. It can be a symbol, in which case the method with that name will be called, or alternatively it can be a proc that will be executed within the context of the controller instance at request time.
|
|
353
350
|
|
|
354
351
|
You can use only dynamic rules without specifying roles if that suits your needs:
|
|
355
352
|
```rb
|
|
@@ -392,6 +389,19 @@ end
|
|
|
392
389
|
|
|
393
390
|
The method can be overridden in different controllers, providing flexibility in handling unauthorized access attempts.
|
|
394
391
|
|
|
392
|
+
## Skip Authorization
|
|
393
|
+
|
|
394
|
+
To skip authorization, use `.skip_authorization(options = {})` method:
|
|
395
|
+
|
|
396
|
+
```rb
|
|
397
|
+
class TicketsController < ApplicationController
|
|
398
|
+
skip_authorization only: :index
|
|
399
|
+
# ...
|
|
400
|
+
end
|
|
401
|
+
```
|
|
402
|
+
|
|
403
|
+
This method accepts the same options as `skip_before_action` method in Rails.
|
|
404
|
+
|
|
395
405
|
## View Helpers
|
|
396
406
|
|
|
397
407
|
Rabarber also provides a couple of helpers that can be used in views: `visible_to(*roles, &block)` and `hidden_from(*roles, &block)`. To use them, simply include `Rabarber::Helpers` in the desired helper. Usually it is `ApplicationHelper`, but it can be any helper of your choice.
|
|
@@ -11,6 +11,10 @@ module Rabarber
|
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
class_methods do
|
|
14
|
+
def skip_authorization(options = {})
|
|
15
|
+
skip_before_action :verify_access, **options
|
|
16
|
+
end
|
|
17
|
+
|
|
14
18
|
def grant_access(action: nil, roles: nil, if: nil, unless: nil)
|
|
15
19
|
dynamic_rule, negated_dynamic_rule = binding.local_variable_get(:if), binding.local_variable_get(:unless)
|
|
16
20
|
|
data/lib/rabarber/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rabarber
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- enjaku4
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2024-
|
|
12
|
+
date: 2024-05-28 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rails
|