role_authorization 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.gemtest +1 -0
- data/.gitignore +2 -0
- data/.rspec +1 -0
- data/.rvmrc +1 -0
- data/Gemfile +3 -0
- data/LICENSE +20 -0
- data/README.md +8 -0
- data/Rakefile +19 -0
- data/lib/rails/role_authorization.rb +8 -0
- data/lib/role_authorization/allow_group.rb +16 -0
- data/lib/role_authorization/base.rb +116 -0
- data/lib/role_authorization/exts/controller.rb +127 -0
- data/lib/role_authorization/exts/model.rb +126 -0
- data/lib/role_authorization/exts/session.rb +52 -0
- data/lib/role_authorization/exts/user.rb +58 -0
- data/lib/role_authorization/exts/view.rb +77 -0
- data/lib/role_authorization/mapper.rb +76 -0
- data/lib/role_authorization/rules/access.rb +88 -0
- data/lib/role_authorization/rules/basic.rb +22 -0
- data/lib/role_authorization/rules/custom.rb +32 -0
- data/lib/role_authorization/rules/logged_in.rb +38 -0
- data/lib/role_authorization/rules/object_role.rb +51 -0
- data/lib/role_authorization/rules/resource.rb +106 -0
- data/lib/role_authorization/rules/user.rb +70 -0
- data/lib/role_authorization/ruleset.rb +39 -0
- data/lib/role_authorization/version.rb +3 -0
- data/lib/role_authorization.rb +3 -0
- data/migrations/01_user_roles.rb +30 -0
- data/role_authorization.gemspec +23 -0
- metadata +106 -0
data/.gemtest
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
|
data/.gitignore
ADDED
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--colour
|
data/.rvmrc
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
rvm use 1.9.2@gems
|
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2011 John "asceth" Long
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
'Software'), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
17
|
+
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
18
|
+
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
19
|
+
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
20
|
+
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
data/Rakefile
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
require "bundler"
|
2
|
+
Bundler.setup
|
3
|
+
|
4
|
+
require "rspec"
|
5
|
+
require "rspec/core/rake_task"
|
6
|
+
|
7
|
+
Rspec::Core::RakeTask.new(:spec)
|
8
|
+
|
9
|
+
gemspec = eval(File.read(File.join(Dir.pwd, "role_authorization.gemspec")))
|
10
|
+
|
11
|
+
task :build => "#{gemspec.full_name}.gem"
|
12
|
+
|
13
|
+
task :test => :spec
|
14
|
+
|
15
|
+
file "#{gemspec.full_name}.gem" => gemspec.files + ["role_authorization.gemspec"] do
|
16
|
+
system "gem build role_authorization.gemspec"
|
17
|
+
system "gem install role_authorization-#{RoleAuthorization::VERSION}.gem"
|
18
|
+
end
|
19
|
+
|
@@ -0,0 +1,16 @@
|
|
1
|
+
module RoleAuthorization
|
2
|
+
module AllowGroup
|
3
|
+
include RoleAuthorization::Ruleset
|
4
|
+
cattr_ruleset :ruleset
|
5
|
+
|
6
|
+
class << self
|
7
|
+
def define(name, &block)
|
8
|
+
add_to_ruleset(name, &block)
|
9
|
+
end
|
10
|
+
|
11
|
+
def get(*names)
|
12
|
+
ruleset.values_at(names).compact
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,116 @@
|
|
1
|
+
module RoleAuthorization
|
2
|
+
class << self
|
3
|
+
# shortcut for <tt>enable_actionpack; enable_activerecord</tt>
|
4
|
+
def enable
|
5
|
+
# load rule mapper
|
6
|
+
load 'role_authorization/mapper.rb'
|
7
|
+
load 'role_authorization/ruleset.rb'
|
8
|
+
load 'role_authorization/allow_group.rb'
|
9
|
+
load 'role_authorization/rules/basic.rb'
|
10
|
+
|
11
|
+
# load default rules
|
12
|
+
Dir.chdir(File.dirname(__FILE__)) do
|
13
|
+
Dir["rules/*.rb"].each do |rule_definition|
|
14
|
+
require "#{File.dirname(__FILE__)}/#{rule_definition}"
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
# load application rules
|
19
|
+
Dir.chdir(Rails.root) do
|
20
|
+
Dir["lib/rules/*.rb"].each do |rule_definition|
|
21
|
+
require "#{Rails.root}/#{rule_definition}"
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
# load allow groups
|
26
|
+
Dir.chdir(Rails.root) do
|
27
|
+
Dir["lib/allow_groups/*.rb"].each do |allow_group|
|
28
|
+
require "#{Rails.root}/#{allow_group}"
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
enable_actionpack
|
33
|
+
enable_activerecord
|
34
|
+
end
|
35
|
+
|
36
|
+
def enable_actionpack
|
37
|
+
load 'role_authorization/exts/view.rb'
|
38
|
+
unless ActionView::Base.instance_methods.include? :link_to_or_show
|
39
|
+
ActionView::Base.class_eval { include Exts::View }
|
40
|
+
end
|
41
|
+
|
42
|
+
load 'role_authorization/exts/session.rb'
|
43
|
+
load 'role_authorization/exts/controller.rb'
|
44
|
+
unless ActionController::Base.instance_methods.include? :authorized?
|
45
|
+
ActionController::Base.class_eval { include Exts::Session }
|
46
|
+
ActionController::Base.class_eval { include Exts::Controller }
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
def enable_activerecord
|
51
|
+
load 'role_authorization/exts/model.rb'
|
52
|
+
unless ActiveRecord::Base.instance_methods.include? :roleable
|
53
|
+
ActiveRecord::Base.class_eval { include Exts::Model }
|
54
|
+
end
|
55
|
+
|
56
|
+
load 'role_authorization/exts/user.rb'
|
57
|
+
end
|
58
|
+
|
59
|
+
def load_controller_classes
|
60
|
+
@controller_classes = {}
|
61
|
+
|
62
|
+
maybe_load_framework_controller_parent
|
63
|
+
|
64
|
+
Dir.chdir("#{Rails.root}/app/controllers") do
|
65
|
+
Dir["**/*.rb"].sort.each do |c|
|
66
|
+
next if c.include?("application")
|
67
|
+
rola_load(c)
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
# if ENV['RAILS_ENV'] != 'production'
|
72
|
+
# if ActiveSupport.const_defined?("Dependencies")
|
73
|
+
# ActiveSupport::Dependencies.clear
|
74
|
+
# else
|
75
|
+
# Dependencies.clear
|
76
|
+
# end
|
77
|
+
# end
|
78
|
+
end
|
79
|
+
|
80
|
+
def maybe_load_framework_controller_parent
|
81
|
+
if ::Rails::VERSION::MAJOR >= 3 || (::Rails::VERSION::MAJOR >= 2 && ::Rails::VERSION::MINOR >= 3)
|
82
|
+
filename = "application_controller.rb"
|
83
|
+
else
|
84
|
+
filename = "application.rb"
|
85
|
+
end
|
86
|
+
require_or_load(filename)
|
87
|
+
end
|
88
|
+
|
89
|
+
def rola_load(filename)
|
90
|
+
klass = class_name_from_file(filename)
|
91
|
+
require_or_load(filename)
|
92
|
+
@controller_classes[klass] = qualified_const_get(klass)
|
93
|
+
end
|
94
|
+
|
95
|
+
def require_or_load(filename)
|
96
|
+
if ActiveSupport.const_defined?("Dependencies")
|
97
|
+
ActiveSupport::Dependencies.require_or_load(filename)
|
98
|
+
else
|
99
|
+
Dependencies.require_or_load(filename)
|
100
|
+
end
|
101
|
+
end
|
102
|
+
|
103
|
+
def class_name_from_file(str)
|
104
|
+
str.split(".")[0].split("/").collect{|s| s.camelize }.join("::")
|
105
|
+
end
|
106
|
+
|
107
|
+
def qualified_const_get(klass)
|
108
|
+
if klass =~ /::/
|
109
|
+
namespace, klass = klass.split("::")
|
110
|
+
eval(namespace).const_get(klass)
|
111
|
+
else
|
112
|
+
const_get(klass)
|
113
|
+
end
|
114
|
+
end
|
115
|
+
end
|
116
|
+
end
|
@@ -0,0 +1,127 @@
|
|
1
|
+
module RoleAuthorization
|
2
|
+
module Exts
|
3
|
+
module Controller
|
4
|
+
def self.included(base)
|
5
|
+
base.class_eval do
|
6
|
+
rescue_from SecurityError, :with => proc {|e| access_denied(e)}
|
7
|
+
helper_method :authorized?
|
8
|
+
helper_method :accessible?
|
9
|
+
end
|
10
|
+
base.send :extend, RoleAuthorization::Ruleset::ClassMethods
|
11
|
+
base.send :cattr_ruleset, :ruleset, :allowable_groups
|
12
|
+
base.send :extend, ClassMethods
|
13
|
+
|
14
|
+
base.send :include, InstanceMethods
|
15
|
+
end
|
16
|
+
|
17
|
+
module ClassMethods
|
18
|
+
def allow_group(*args)
|
19
|
+
add_to_allowable_groups(self.controller_rule_name, args)
|
20
|
+
add_role_authorization_filter
|
21
|
+
end
|
22
|
+
|
23
|
+
def allow(&block)
|
24
|
+
add_to_ruleset(self.controller_rule_name, &block)
|
25
|
+
add_role_authorization_filter
|
26
|
+
end
|
27
|
+
|
28
|
+
def add_role_authorization_filter
|
29
|
+
callbacks = _process_action_callbacks
|
30
|
+
chain = callbacks.select {|cl| cl.klass.to_s.include?(name)}.collect(&:filter).select {|c| c.is_a?(Symbol)}
|
31
|
+
before_filter :check_request_authorization unless chain.include?(:check_request_authorization)
|
32
|
+
end
|
33
|
+
|
34
|
+
def controller_rule_name
|
35
|
+
@controller_rule_name ||= name.gsub('Controller', '').underscore.downcase
|
36
|
+
end
|
37
|
+
|
38
|
+
def controller_model
|
39
|
+
@controller_model ||= name.gsub('Controller', '').singularize
|
40
|
+
end
|
41
|
+
end # ClassMethods
|
42
|
+
|
43
|
+
module InstanceMethods
|
44
|
+
def check_request_authorization
|
45
|
+
unless authorized_action?(self, self.class.controller_rule_name, action_name.to_sym, params[:id])
|
46
|
+
raise SecurityError, "You do not have the required clearance to access this resource."
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
def authorized_action?(controller_klass, controller, action, id = nil)
|
51
|
+
# by default admins see everything
|
52
|
+
return true if current_user_is_admin?
|
53
|
+
|
54
|
+
ruleset = self.class.ruleset[controller]
|
55
|
+
groups = RoleAuthorization::AllowGroup.get(self.class.allowable_groups[controller])
|
56
|
+
|
57
|
+
if defined?(DEBUG_AUTHORIZATION_RULES) == 'constant'
|
58
|
+
Rails.logger.info "#" * 60
|
59
|
+
Rails.logger.info ruleset.to_s
|
60
|
+
Rails.logger.info "#" * 60
|
61
|
+
end
|
62
|
+
|
63
|
+
# we have no ruleset for this controller or any allow groups so deny
|
64
|
+
return false if ruleset.nil? && groups.empty?
|
65
|
+
|
66
|
+
# first check controller ruleset
|
67
|
+
unless ruleset.nil?
|
68
|
+
return true if ruleset.authorized?(controller_klass, controller, :all, id)
|
69
|
+
return true if ruleset.authorized?(controller_klass, controller, action, id)
|
70
|
+
end
|
71
|
+
|
72
|
+
# next check any allow groups
|
73
|
+
unless groups.empty?
|
74
|
+
groups.each do |group|
|
75
|
+
return true if group.authorized?(controller_klass, controller, :all, id)
|
76
|
+
return true if group.authorized?(controller_klass, controller, action, id)
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
# finally deny if they haven't passed any rules
|
81
|
+
return false
|
82
|
+
end
|
83
|
+
|
84
|
+
def accessible?(access_role)
|
85
|
+
return true if current_user_is_admin?
|
86
|
+
return false if access_role.nil?
|
87
|
+
return true if access_role.name.to_sym == :public
|
88
|
+
return false if session[:access_rights].nil?
|
89
|
+
session[:access_rights].include?(access_role.name.to_sym)
|
90
|
+
end
|
91
|
+
|
92
|
+
def authorized?(url, method = nil)
|
93
|
+
return false unless url
|
94
|
+
return true if current_user_is_admin?
|
95
|
+
|
96
|
+
method ||= (params[:method] || request.method)
|
97
|
+
url_parts = URI::split(url.strip)
|
98
|
+
path = url_parts[5]
|
99
|
+
|
100
|
+
begin
|
101
|
+
hash = Rails.application.routes.recognize_path(path, :method => method)
|
102
|
+
return authorized_action?(self, hash[:controller], hash[:action].to_sym, hash[:id]) if hash
|
103
|
+
rescue Exception => e
|
104
|
+
Rails.logger.error e.inspect
|
105
|
+
Rails.logger.error e.backtrace
|
106
|
+
# continue on
|
107
|
+
end
|
108
|
+
|
109
|
+
# Mailto link
|
110
|
+
return true if url =~ /^mailto:/
|
111
|
+
|
112
|
+
# Public file
|
113
|
+
file = File.join(RAILS_ROOT, 'public', url)
|
114
|
+
return true if File.exists?(file)
|
115
|
+
|
116
|
+
# Passing in different domain
|
117
|
+
return remote_url?(url_parts[2])
|
118
|
+
end
|
119
|
+
|
120
|
+
def remote_url?(domain = nil)
|
121
|
+
return false if domain.nil? || domain.strip.length == 0
|
122
|
+
request.host.downcase != domain.downcase
|
123
|
+
end
|
124
|
+
end # InstanceMethods
|
125
|
+
end
|
126
|
+
end
|
127
|
+
end
|
@@ -0,0 +1,126 @@
|
|
1
|
+
module RoleAuthorization
|
2
|
+
module Exts
|
3
|
+
module Model
|
4
|
+
def self.included(base)
|
5
|
+
base.send :extend, ClassMethods
|
6
|
+
base.send :include, InstanceMethods
|
7
|
+
end
|
8
|
+
|
9
|
+
module ClassMethods
|
10
|
+
def roleable_options
|
11
|
+
@roleable_options
|
12
|
+
end
|
13
|
+
|
14
|
+
def roleable_options=(options)
|
15
|
+
@roleable_options = options
|
16
|
+
end
|
17
|
+
|
18
|
+
def roleable options = {}
|
19
|
+
has_many :roles, :as => :roleable, :dependent => :delete_all
|
20
|
+
after_create :create_roles
|
21
|
+
|
22
|
+
send(:extend, SpecificClassMethods)
|
23
|
+
|
24
|
+
options[:name] ||= :class
|
25
|
+
|
26
|
+
options[:priority] ||= {}
|
27
|
+
options[:creation_priority] ||= {}
|
28
|
+
options[:roles] ||= [:default]
|
29
|
+
options[:roles].each do |role_name|
|
30
|
+
options[:priority][role_name] ||= 1
|
31
|
+
options[:creation_priority][role_name] ||= 1
|
32
|
+
end
|
33
|
+
|
34
|
+
options[:cache] = {}
|
35
|
+
@roleable_options = options
|
36
|
+
end # roleable
|
37
|
+
|
38
|
+
def enrolled(role_name)
|
39
|
+
roles = Role.all(:conditions => {:roleable_type => self.to_s, :name => role_name.to_s})
|
40
|
+
unless roles.empty?
|
41
|
+
roles.collect(&:users).flatten
|
42
|
+
else
|
43
|
+
[]
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end # ClassMethods
|
47
|
+
|
48
|
+
module SpecificClassMethods
|
49
|
+
def reset_roles
|
50
|
+
all.map(&:reset_roles)
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
module InstanceMethods
|
55
|
+
|
56
|
+
def reset_roles
|
57
|
+
options = self.class.roleable_options
|
58
|
+
|
59
|
+
mroles = roles.all
|
60
|
+
rejected_roles = mroles.reject {|r| options[:roles].include?(r.name.to_sym)}
|
61
|
+
rejected_roles.map {|rejected_role| rejected_role.destroy}
|
62
|
+
|
63
|
+
valid_roles = mroles - rejected_roles
|
64
|
+
valid_role_names = valid_roles.collect(&:name)
|
65
|
+
new_roles = options[:roles].select {|role| !valid_role_names.include?(role.to_sym)}
|
66
|
+
valid_roles.each do |role|
|
67
|
+
if roles.find_by_name(role.name.to_s).nil?
|
68
|
+
roles.create(:name => role.name.to_s,
|
69
|
+
:display_name => "#{self.send(options[:name])} #{role.name.to_s}",
|
70
|
+
:creation_priority => options[:creation_priority][role.name.to_s],
|
71
|
+
:priority => options[:priority][role.name.to_s])
|
72
|
+
end
|
73
|
+
end
|
74
|
+
new_roles.each do |role|
|
75
|
+
roles.create(:name => role.to_s,
|
76
|
+
:display_name => "#{self.send(options[:name])} #{role.to_s}",
|
77
|
+
:creation_priority => options[:creation_priority][role],
|
78
|
+
:priority => options[:priority][role])
|
79
|
+
end
|
80
|
+
roles(true).all
|
81
|
+
end
|
82
|
+
|
83
|
+
def enroll(user, role)
|
84
|
+
options = self.class.roleable_options
|
85
|
+
role = role.is_a?(Integer) ? roles.find_by_id(role) : roles.find_by_name(role.to_s)
|
86
|
+
user_id = ((user.is_a?(Integer) || user.is_a?(String)) ? user.to_i : user.id)
|
87
|
+
unless role.nil?
|
88
|
+
role.user_roles.create(:user_id => user_id)
|
89
|
+
end
|
90
|
+
end
|
91
|
+
alias_method :assign, :enroll
|
92
|
+
|
93
|
+
def enrolled(role)
|
94
|
+
role = roles.find_by_name(role.to_s)
|
95
|
+
unless role.nil?
|
96
|
+
role.users
|
97
|
+
else
|
98
|
+
[]
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
def withdraw(user, role = nil)
|
103
|
+
options = self.class.roleable_options
|
104
|
+
role = role.is_a?(Integer) ? roles.find_by_id(role, :include => :user_roles) : roles.find_by_name(role.to_s, :include => :user_roles)
|
105
|
+
user_id = ((user.is_a?(Integer) || user.is_a?(String)) ? user.to_i : user.id)
|
106
|
+
unless role.nil?
|
107
|
+
role.user_roles.first(:conditions => {:user_id => user_id}).try(:destroy)
|
108
|
+
else
|
109
|
+
UserRole.all(:conditions => {:user_id => user_id, :role_id => role_ids}).map(&:destroy)
|
110
|
+
end
|
111
|
+
end
|
112
|
+
|
113
|
+
private
|
114
|
+
def create_roles
|
115
|
+
options = self.class.roleable_options
|
116
|
+
options[:roles].each do |role|
|
117
|
+
roles.create(:name => role.to_s,
|
118
|
+
:display_name => "#{self.send(options[:name])} #{role.to_s}",
|
119
|
+
:creation_priority => options[:creation_priority][role],
|
120
|
+
:priority => options[:priority][role])
|
121
|
+
end
|
122
|
+
end # create_user_roles
|
123
|
+
end # InstanceMethods
|
124
|
+
end
|
125
|
+
end
|
126
|
+
end
|
@@ -0,0 +1,52 @@
|
|
1
|
+
module RoleAuthorization
|
2
|
+
module Exts
|
3
|
+
module Session
|
4
|
+
def self.included(base)
|
5
|
+
base.send :include, InstanceMethods
|
6
|
+
base.class_eval do
|
7
|
+
helper_method :current_user_is_admin?
|
8
|
+
helper_method :admin?
|
9
|
+
helper_method :access_in_role?
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
module InstanceMethods
|
14
|
+
protected
|
15
|
+
|
16
|
+
def add_role_authorization_session_values(user = nil)
|
17
|
+
user ||= current_user
|
18
|
+
|
19
|
+
if user
|
20
|
+
roles = user.roles.where({:roleable_id => nil}).all
|
21
|
+
session[:access_rights] = roles.collect {|role| role.name.to_sym}
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
def current_user_is_admin?
|
26
|
+
!session[:access_rights].nil? && session[:access_rights].include?(:all)
|
27
|
+
end
|
28
|
+
|
29
|
+
def admin?
|
30
|
+
current_user_is_admin?
|
31
|
+
end
|
32
|
+
|
33
|
+
def access_in_role?(role)
|
34
|
+
return true if current_user_is_admin?
|
35
|
+
return true if session_access_rights_include?(role)
|
36
|
+
false
|
37
|
+
end
|
38
|
+
|
39
|
+
def session_access_rights_include?(role)
|
40
|
+
return false unless session[:access_rights]
|
41
|
+
session[:access_rights].include?(role)
|
42
|
+
end
|
43
|
+
|
44
|
+
def reset_role_authorization_session
|
45
|
+
[:access_rights].each do |val|
|
46
|
+
session[val] = nil if session[val]
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
module RoleAuthorization
|
2
|
+
module Exts
|
3
|
+
module User
|
4
|
+
def self.included(base)
|
5
|
+
base.send :extend, ClassMethods
|
6
|
+
base.send :include, InstanceMethods
|
7
|
+
|
8
|
+
base.class_eval do
|
9
|
+
has_many :user_roles, :dependent => :delete_all
|
10
|
+
has_many :roles, :through => :user_roles
|
11
|
+
end
|
12
|
+
end
|
13
|
+
|
14
|
+
module ClassMethods
|
15
|
+
def enroll(user_id, role_name)
|
16
|
+
user = find_by_id(user_id.to_i)
|
17
|
+
user.enroll(role_name) unless user.nil?
|
18
|
+
end # enroll
|
19
|
+
|
20
|
+
def withdraw(user_id, role_name)
|
21
|
+
user = find_by_id(user_id.to_i)
|
22
|
+
user.withdraw(role_name) unless user.nil?
|
23
|
+
end # withdraw
|
24
|
+
end # ClassMethods
|
25
|
+
|
26
|
+
module InstanceMethods
|
27
|
+
# has_object_role? simply needs to return true or false whether a user has a role or not.
|
28
|
+
# It may be a good idea to have "admin" roles return true always
|
29
|
+
# Return false always for anonymous users
|
30
|
+
def has_object_role?(role, object)
|
31
|
+
return false if self.anonymous?
|
32
|
+
|
33
|
+
@object_user_roles ||= roles.all(:conditions => ["roleable_type IS NOT NULL and roleable_id IS NOT NULL"])
|
34
|
+
result = @object_user_roles.detect do |r|
|
35
|
+
r.roleable_type == object.class.to_s && r.roleable_id == object.id && r.name == role.to_s
|
36
|
+
end
|
37
|
+
!result.nil?
|
38
|
+
end
|
39
|
+
|
40
|
+
# adds a role to the user
|
41
|
+
def enroll(role_name)
|
42
|
+
role_id = role_name.is_a?(Integer) ? role_name : Role.find_by_name(role_name.to_s).try(:id)
|
43
|
+
user_roles.create(:role_id => role_id) if !role_id.nil? && self.user_roles.find_by_role_id(role_id).nil?
|
44
|
+
end
|
45
|
+
|
46
|
+
def withdraw(role_name)
|
47
|
+
role_id = role_name.is_a?(Integer) ? role_name : Role.find_by_name(role_name.to_s).try(:id)
|
48
|
+
UserRole.delete_all(["user_id = ? AND role_id = ?", self.id, role_id]) unless role_id.nil?
|
49
|
+
end
|
50
|
+
|
51
|
+
def admin?
|
52
|
+
return true if roles.include?(Role.get(:all))
|
53
|
+
false
|
54
|
+
end
|
55
|
+
end # InstanceMethods
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
@@ -0,0 +1,77 @@
|
|
1
|
+
module RoleAuthorization
|
2
|
+
module Exts
|
3
|
+
module View
|
4
|
+
def self.included(base)
|
5
|
+
base.class_eval do
|
6
|
+
alias_method :link_to_open, :link_to
|
7
|
+
alias_method :link_to, :link_to_secured
|
8
|
+
|
9
|
+
alias_method :button_to_open, :button_to
|
10
|
+
alias_method :button_to, :button_to_secured
|
11
|
+
|
12
|
+
alias_method :form_for_open, :form_for
|
13
|
+
alias_method :form_for, :form_for_secured
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
def form_for_secured(record_or_name_or_array, *args, &proc)
|
18
|
+
options = args.last.is_a?(Hash) ? args.last : {}
|
19
|
+
|
20
|
+
url = url_for(options[:url])
|
21
|
+
|
22
|
+
method = (options[:html] && options[:html].has_key?(:method)) ? options[:html][:method] : :post
|
23
|
+
|
24
|
+
if authorized?(url, method)
|
25
|
+
return form_for_open(record_or_name_or_array, *args, &proc)
|
26
|
+
else
|
27
|
+
return ""
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
def link_to_secured(name, options = {}, html_options = nil)
|
32
|
+
url = url_for(options)
|
33
|
+
|
34
|
+
method = (html_options && html_options.has_key?(:method)) ? html_options[:method] : :get
|
35
|
+
|
36
|
+
if authorized?(url, method)
|
37
|
+
return link_to_open(name, url, html_options)
|
38
|
+
else
|
39
|
+
return ""
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
def button_to_secured(name, options = {}, html_options = nil)
|
44
|
+
url = url_for(options)
|
45
|
+
|
46
|
+
method = (html_options && html_options.has_key?(:method)) ? html_options[:method] : :post
|
47
|
+
|
48
|
+
if authorized?(url, method)
|
49
|
+
return button_to_open(name, url, html_options)
|
50
|
+
else
|
51
|
+
return ""
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
def role(*user_roles, &block)
|
56
|
+
if block_given? && !session[:access_rights].blank? && !(user_roles & session[:access_rights]).empty?
|
57
|
+
capture_haml(&block)
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
def permitted_to?(url, method, &block)
|
62
|
+
capture_haml(&block) if block_given? && authorized?(url, method)
|
63
|
+
end
|
64
|
+
|
65
|
+
def link_to_or_show(name, options = {}, html_options = nil)
|
66
|
+
lnk = link_to(name, options, html_options)
|
67
|
+
lnk.length == 0 ? name : lnk
|
68
|
+
end
|
69
|
+
|
70
|
+
def links(*lis)
|
71
|
+
rvalue = []
|
72
|
+
lis.each{|link| rvalue << link if link.length > 0 }
|
73
|
+
rvalue.join(' | ')
|
74
|
+
end
|
75
|
+
end # View
|
76
|
+
end
|
77
|
+
end
|