zero_authorization 0.0.6 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +57 -2
- data/lib/zero_authorization/engine.rb +177 -0
- data/lib/zero_authorization/role.rb +51 -0
- data/lib/zero_authorization/version.rb +1 -1
- data/lib/zero_authorization.rb +8 -184
- data/zero_authorization.gemspec +7 -7
- metadata +15 -10
- data/roles_n_privileges_1.yml +0 -42
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c71ff5e0e8ab8e104e78ba8c1c3c86528a552a5c
|
|
4
|
+
data.tar.gz: 9d960e3adbe023f1bbcf1321642cbc2a5d1a54aa
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6b88ea53e319c66c3d04c116563df6af81375217d4934f135668fca7839dccba1467fb9450c6177e5e52fd969f752ac8cf6fb0c79a0fc6bba82f7af4643b0aad
|
|
7
|
+
data.tar.gz: a8d2a23fab3871be610f7296c2b3fae38a6e027d6c63caf667d4bfbfe957aa73b77371c76e5c7421aab4734f853603fd264c643262196a6b825cbe09d61ae9a3
|
data/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# ZeroAuthorization
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Functionality to add authorization on Rails model's write operations plus any other set of defined methods.
|
|
4
4
|
|
|
5
5
|
## Installation
|
|
6
6
|
|
|
@@ -18,7 +18,62 @@ Or install it yourself as:
|
|
|
18
18
|
|
|
19
19
|
## Usage
|
|
20
20
|
|
|
21
|
-
|
|
21
|
+
1. Specify what any specific role of current root entity(logged_user) can do/can't do in roles_n_privileges.yml
|
|
22
|
+
|
|
23
|
+
:role_role_name_one:
|
|
24
|
+
:can_do:
|
|
25
|
+
:Account:
|
|
26
|
+
- :create
|
|
27
|
+
- :save
|
|
28
|
+
- :update
|
|
29
|
+
:User:
|
|
30
|
+
- :create
|
|
31
|
+
- :save
|
|
32
|
+
- :update
|
|
33
|
+
:ModelCrudHistory: :anything
|
|
34
|
+
:Permission: :anything
|
|
35
|
+
:cant_do:
|
|
36
|
+
:Project:
|
|
37
|
+
- :destroy
|
|
38
|
+
:role_role_name_two:
|
|
39
|
+
:can_do:
|
|
40
|
+
:Project:
|
|
41
|
+
- :create
|
|
42
|
+
- :save:
|
|
43
|
+
:if:
|
|
44
|
+
:authorize?
|
|
45
|
+
- :update:
|
|
46
|
+
:if:
|
|
47
|
+
:authorize?
|
|
48
|
+
- :destroy:
|
|
49
|
+
:if:
|
|
50
|
+
:authorize?
|
|
51
|
+
:role_role_name_three:
|
|
52
|
+
:can_do:
|
|
53
|
+
:Plant:
|
|
54
|
+
- :create
|
|
55
|
+
- :save
|
|
56
|
+
- :update
|
|
57
|
+
- :destroy
|
|
58
|
+
:cant_do: :anything
|
|
59
|
+
|
|
60
|
+
2. Restrict models for activity and let rule-set(s) via zero-authorization take control of activity
|
|
61
|
+
|
|
62
|
+
1 Add initializer file with content (if all existing models needs to have restrictions. Easy way out).
|
|
63
|
+
|
|
64
|
+
# Make a file restrict_models.rb in Rails.root/config/initializers
|
|
65
|
+
Rails.application.eager_load!
|
|
66
|
+
ActiveRecord::Base.descendants.each do |descendant|
|
|
67
|
+
descendant.send(:include, ZeroAuthorization::Engine)
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
2 To hand pick some models for restriction
|
|
71
|
+
|
|
72
|
+
class ModelName < ActiveRecord::Base
|
|
73
|
+
include ZeroAuthorization::Engine
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
4. (Re-)boot application.
|
|
22
77
|
|
|
23
78
|
## Contributing
|
|
24
79
|
|
|
@@ -0,0 +1,177 @@
|
|
|
1
|
+
module ZeroAuthorization
|
|
2
|
+
module Engine
|
|
3
|
+
def self.included(base)
|
|
4
|
+
puts "Initializing ZeroAuthorization for #{base.name}"
|
|
5
|
+
|
|
6
|
+
base.extend(ClassMethods)
|
|
7
|
+
|
|
8
|
+
# Initializing authentication mode. Options are
|
|
9
|
+
# :strict =>'raise exception and deny operation if not authorized' ,
|
|
10
|
+
# :warning => 'display only warning without exception' [DEFAULT],
|
|
11
|
+
# :superficial =>'allow operation without authorization'
|
|
12
|
+
base.send(:initialize_authorization_mode)
|
|
13
|
+
|
|
14
|
+
# Applying restriction on methods
|
|
15
|
+
base.send(:initialize_methods_restriction)
|
|
16
|
+
|
|
17
|
+
# Applying restriction on crud write operations
|
|
18
|
+
base.send(:before_save, :is_zero_authorized_4_save)
|
|
19
|
+
base.send(:before_create, :is_zero_authorized_4_create)
|
|
20
|
+
base.send(:before_update, :is_zero_authorized_4_update)
|
|
21
|
+
base.send(:before_destroy, :is_zero_authorized_4_destroy)
|
|
22
|
+
|
|
23
|
+
|
|
24
|
+
private
|
|
25
|
+
|
|
26
|
+
# Authorization for authorization mode :strict
|
|
27
|
+
def authorize_strictly(action)
|
|
28
|
+
role = ZeroAuthorization::Role.role
|
|
29
|
+
raise 'ZeroAuthorizationRoleNotAvailable' if role.nil?
|
|
30
|
+
|
|
31
|
+
if zero_authorized_core(role, action)
|
|
32
|
+
return true
|
|
33
|
+
else
|
|
34
|
+
logger.debug 'ZeroAuthorization: Not authorized to perform activity.'
|
|
35
|
+
raise 'NotAuthorized'
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
false
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
# Authorization for authorization mode :warning
|
|
42
|
+
def authorize_with_warning(action)
|
|
43
|
+
role = ZeroAuthorization::Role.role
|
|
44
|
+
raise 'ZeroAuthorizationRoleNotAvailable' if role.nil?
|
|
45
|
+
|
|
46
|
+
if zero_authorized_core(role, action)
|
|
47
|
+
return true
|
|
48
|
+
else
|
|
49
|
+
logger.debug 'ERROR: ZeroAuthorization: Not authorized to perform activity.'
|
|
50
|
+
self.errors.add(:authorization_error, 'occurred, Unauthorized to perform this activity')
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
false
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
# Authorization for authorization mode :superficial
|
|
57
|
+
def authorize_superficially(action)
|
|
58
|
+
logger.debug 'ZeroAuthorizationMode: superficial. By passing authorization.'
|
|
59
|
+
return true
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
# Return authorization mode
|
|
63
|
+
def zero_authorized_checker(action)
|
|
64
|
+
if self.class.authorization_mode == :strict
|
|
65
|
+
return authorize_strictly(action)
|
|
66
|
+
elsif self.class.authorization_mode == :warning
|
|
67
|
+
return authorize_with_warning(action)
|
|
68
|
+
elsif self.class.authorization_mode == :superficial
|
|
69
|
+
return authorize_superficially(action)
|
|
70
|
+
else
|
|
71
|
+
raise 'InvalidAuthorizationMode'
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
# Core of authorization after reading/parsing rule set for current role
|
|
76
|
+
def zero_authorized_core(role, action)
|
|
77
|
+
_auth_flag = false
|
|
78
|
+
unless role.rule_set[:can_do].nil?
|
|
79
|
+
if role.rule_set[:can_do] == :anything
|
|
80
|
+
_auth_flag = true
|
|
81
|
+
|
|
82
|
+
elsif role.rule_set[:can_do].is_a?(Hash)
|
|
83
|
+
|
|
84
|
+
if role.rule_set[:can_do][self.class.name.to_sym] == :anything
|
|
85
|
+
_auth_flag = true
|
|
86
|
+
else
|
|
87
|
+
logger.debug "----------- self.class.name.to_sym: #{self.class.name.to_sym}"
|
|
88
|
+
symbolized_actions = role.rule_set[:can_do][self.class.name.to_sym].collect { |x| x if x.is_a?(Symbol) }.compact
|
|
89
|
+
_auth_flag = if symbolized_actions.include?(action)
|
|
90
|
+
true
|
|
91
|
+
else
|
|
92
|
+
conditional_check =nil
|
|
93
|
+
(role.rule_set[:can_do][self.class.name.to_sym]- symbolized_actions).each do |action_rule_hash|
|
|
94
|
+
conditional_check = action_rule_hash[action] if action_rule_hash.keys.include? action
|
|
95
|
+
end
|
|
96
|
+
conditional_check ||= {}
|
|
97
|
+
conditional_check= conditional_check[:if]
|
|
98
|
+
return self.send(conditional_check) unless conditional_check.nil?
|
|
99
|
+
false
|
|
100
|
+
end
|
|
101
|
+
#_auth_flag = true if (role.rule_set[:can_do][self.class.name.to_sym] || []).include?(action)
|
|
102
|
+
end
|
|
103
|
+
end
|
|
104
|
+
end
|
|
105
|
+
unless role.rule_set[:cant_do].nil?
|
|
106
|
+
if role.rule_set[:cant_do] == :anything
|
|
107
|
+
_auth_flag = false
|
|
108
|
+
elsif role.rule_set[:cant_do].is_a?(Hash)
|
|
109
|
+
_auth_flag = false if (role.rule_set[:cant_do][self.class.name.to_sym] || []).include?(action)
|
|
110
|
+
end
|
|
111
|
+
end
|
|
112
|
+
_auth_flag
|
|
113
|
+
end
|
|
114
|
+
|
|
115
|
+
def is_zero_authorized_4_save
|
|
116
|
+
zero_authorized_checker(:save)
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
def is_zero_authorized_4_create
|
|
120
|
+
zero_authorized_checker(:create)
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
def is_zero_authorized_4_update
|
|
124
|
+
zero_authorized_checker(:update)
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
def is_zero_authorized_4_destroy
|
|
128
|
+
zero_authorized_checker(:destroy)
|
|
129
|
+
end
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
module ClassMethods
|
|
133
|
+
attr_accessor :authorization_mode
|
|
134
|
+
|
|
135
|
+
def list_of_methods_to_guard
|
|
136
|
+
_model_methods_set = {}
|
|
137
|
+
Role.roles_n_privileges_hash.each do |role_key, permission_value|
|
|
138
|
+
unless permission_value[:can_do].nil?
|
|
139
|
+
_model_methods_set = _model_methods_set.merge(permission_value[:can_do]) { |key, oval, nval| ([oval] << [nval]).flatten.compact.uniq } if permission_value[:can_do].is_a?(Hash)
|
|
140
|
+
end
|
|
141
|
+
unless permission_value[:cant_do].nil?
|
|
142
|
+
_model_methods_set = _model_methods_set.merge(permission_value[:cant_do]) { |key, oval, nval| ([oval] << [nval]).flatten.compact.uniq } if permission_value[:cant_do].is_a?(Hash)
|
|
143
|
+
end
|
|
144
|
+
end
|
|
145
|
+
if _model_methods_set[self.name.to_sym] == :anything
|
|
146
|
+
_model_methods_set.delete(self.name.to_sym)
|
|
147
|
+
end
|
|
148
|
+
(_model_methods_set[self.name.to_sym] || []).clone.delete_if do |x|
|
|
149
|
+
if x.is_a? Hash
|
|
150
|
+
x= x.keys.first
|
|
151
|
+
end
|
|
152
|
+
[:create, :save, :update, :destroy, :anything].include?(x)
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
private
|
|
157
|
+
def initialize_authorization_mode
|
|
158
|
+
@authorization_mode = :warning # :strict, :warning and :superficial
|
|
159
|
+
end
|
|
160
|
+
|
|
161
|
+
# applying restriction on methods
|
|
162
|
+
def initialize_methods_restriction
|
|
163
|
+
list_of_methods_to_guard.each do |method_name|
|
|
164
|
+
if method_name.is_a? Hash
|
|
165
|
+
method_name = method_name.keys.first
|
|
166
|
+
end
|
|
167
|
+
send(:alias_method, "za_#{method_name}", method_name)
|
|
168
|
+
define_method "#{method_name}" do |*args|
|
|
169
|
+
puts 'Restricted method call..'
|
|
170
|
+
send("za_#{method_name}", *args) if zero_authorized_checker(method_name)
|
|
171
|
+
end
|
|
172
|
+
end
|
|
173
|
+
end
|
|
174
|
+
end
|
|
175
|
+
end
|
|
176
|
+
|
|
177
|
+
end
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
module ZeroAuthorization
|
|
2
|
+
|
|
3
|
+
class Role
|
|
4
|
+
cattr_writer :role
|
|
5
|
+
|
|
6
|
+
# Initializing role
|
|
7
|
+
def initialize(role_name)
|
|
8
|
+
@role_name = role_name
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def to_s
|
|
12
|
+
@role_name.to_s
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
# Getting rule_set(s) for the role
|
|
16
|
+
def rule_set
|
|
17
|
+
self.class.roles_n_privileges_hash["role_#{@role_name}".to_sym]
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
#Returns a valid role if available defined from config/roles_n_privileges.yml else a nil
|
|
21
|
+
def self.role
|
|
22
|
+
roles_n_privileges_hash.keys.collect { |key| key.to_s.gsub(/^role_/, '') }.include?(@@role) ? new(@@role) : nil
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
# Cache read of config/roles_n_privileges.yml for role_privileges_hash
|
|
26
|
+
def self.roles_n_privileges_hash
|
|
27
|
+
@roles_n_privileges_hash ||= YAML::load_file(File.join(Rails.root, 'config', 'roles_n_privileges.yml'))
|
|
28
|
+
@roles_n_privileges_hash
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
# Hard read of config/roles_n_privileges.yml for role_privileges_hash
|
|
32
|
+
def self.roles_n_privileges_hash_reload
|
|
33
|
+
@roles_n_privileges_hash = YAML::load_file(File.join(Rails.root, 'config', 'roles_n_privileges.yml'))
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
# Do any activity with any specific temporary role and then revert back to normal situation.
|
|
37
|
+
# Example:
|
|
38
|
+
# ZeroAuthorization::Role.temp_role('default') do
|
|
39
|
+
# Patron.all.each do |patron|
|
|
40
|
+
# patron.some_restricted_method_call!
|
|
41
|
+
# end
|
|
42
|
+
#end
|
|
43
|
+
def self.temp_role(temp_role, &block)
|
|
44
|
+
_current_role = self.role.nil? ? self.role : self.role.to_s
|
|
45
|
+
self.role=temp_role
|
|
46
|
+
yield
|
|
47
|
+
self.role=_current_role
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
end
|
|
51
|
+
end
|
data/lib/zero_authorization.rb
CHANGED
|
@@ -3,187 +3,11 @@ require 'active_record'
|
|
|
3
3
|
require 'active_support/core_ext'
|
|
4
4
|
require "zero_authorization/version"
|
|
5
5
|
require 'zero_authorization/exceptions'
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
@role_name = role_name
|
|
15
|
-
end
|
|
16
|
-
|
|
17
|
-
def to_s
|
|
18
|
-
@role_name.to_s
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
# Getting rule_set(s) for the role
|
|
22
|
-
def rule_set
|
|
23
|
-
self.class.roles_n_privileges_hash["role_#{@role_name}".to_sym]
|
|
24
|
-
end
|
|
25
|
-
|
|
26
|
-
#Returns role if role can be formed/included in parsed hash's keys of parse_roles_n_privileges_yml
|
|
27
|
-
def self.role
|
|
28
|
-
roles_n_privileges_hash.keys.collect { |key| key.to_s.gsub(/^role_/, '') }.include?(@@role) ? new(@@role) : nil
|
|
29
|
-
end
|
|
30
|
-
|
|
31
|
-
# role_privileges_hash in place of yml
|
|
32
|
-
#TODO: Read it from YML and also provide functionality to reload it after caching
|
|
33
|
-
def self.roles_n_privileges_hash
|
|
34
|
-
@roles_n_privileges_hash ||= YAML::load_file(File.join(Rails.root, 'config', 'roles_n_privileges.yml'))
|
|
35
|
-
@roles_n_privileges_hash
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
def self.roles_n_privileges_hash_reload
|
|
39
|
-
@roles_n_privileges_hash = YAML::load_file(File.join(Rails.root, 'config', 'roles_n_privileges.yml'))
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
end
|
|
43
|
-
|
|
44
|
-
module Engine
|
|
45
|
-
def self.included(base)
|
|
46
|
-
puts "Initializing ZeroAuthorization for #{base.name}"
|
|
47
|
-
|
|
48
|
-
base.extend(ClassMethods)
|
|
49
|
-
|
|
50
|
-
# Initializing authentication mode. Options are
|
|
51
|
-
# :strict =>'raise exception and deny operation if not authorized' ,
|
|
52
|
-
# :warning => 'display only warning without exception',
|
|
53
|
-
# :superficial =>'allow operation without authorization'
|
|
54
|
-
base.send(:initialize_authorization_mode)
|
|
55
|
-
|
|
56
|
-
# Applying restriction on methods
|
|
57
|
-
base.send(:initialize_methods_restriction)
|
|
58
|
-
|
|
59
|
-
# Applying restriction on crud write operations
|
|
60
|
-
base.send(:before_save, :is_zero_authorized_4_save)
|
|
61
|
-
base.send(:before_create, :is_zero_authorized_4_create)
|
|
62
|
-
base.send(:before_update, :is_zero_authorized_4_update)
|
|
63
|
-
base.send(:before_destroy, :is_zero_authorized_4_destroy)
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
private
|
|
67
|
-
|
|
68
|
-
# Authorization for authorization mode :strict
|
|
69
|
-
def authorize_strictly(action)
|
|
70
|
-
role = ZeroAuthorization::Role.role
|
|
71
|
-
raise 'ZeroAuthorizationRoleNotAvailable' if role.nil?
|
|
72
|
-
|
|
73
|
-
if zero_authorized_core(role, action)
|
|
74
|
-
return true
|
|
75
|
-
else
|
|
76
|
-
logger.info 'ZeroAuthorization: Not authorized to perform activity.'
|
|
77
|
-
raise 'NotAuthorized'
|
|
78
|
-
end
|
|
79
|
-
|
|
80
|
-
false
|
|
81
|
-
end
|
|
82
|
-
|
|
83
|
-
# Authorization for authorization mode :warning
|
|
84
|
-
def authorize_with_warning(action)
|
|
85
|
-
role = ZeroAuthorization::Role.role
|
|
86
|
-
raise 'ZeroAuthorizationRoleNotAvailable' if role.nil?
|
|
87
|
-
|
|
88
|
-
if zero_authorized_core(role, action)
|
|
89
|
-
return true
|
|
90
|
-
else
|
|
91
|
-
logger.info 'ERROR: ZeroAuthorization: Not authorized to perform activity.'
|
|
92
|
-
end
|
|
93
|
-
|
|
94
|
-
false
|
|
95
|
-
end
|
|
96
|
-
|
|
97
|
-
# Authorization for authorization mode :superficial
|
|
98
|
-
def authorize_superficially(action)
|
|
99
|
-
logger.info 'ZeroAuthorizationMode: superficial. By passing authorization.'
|
|
100
|
-
return true
|
|
101
|
-
end
|
|
102
|
-
|
|
103
|
-
# Return authorization mode
|
|
104
|
-
def zero_authorized_checker(action)
|
|
105
|
-
if self.class.authorization_mode == :strict
|
|
106
|
-
return authorize_strictly(action)
|
|
107
|
-
elsif self.class.authorization_mode == :warning
|
|
108
|
-
return authorize_with_warning(action)
|
|
109
|
-
elsif self.class.authorization_mode == :superficial
|
|
110
|
-
return authorize_superficially(action)
|
|
111
|
-
else
|
|
112
|
-
raise 'InvalidAuthorizationMode'
|
|
113
|
-
end
|
|
114
|
-
end
|
|
115
|
-
|
|
116
|
-
# Core of authorization after reading/parsing rule set for current role
|
|
117
|
-
def zero_authorized_core(role, action)
|
|
118
|
-
_auth_flag = false
|
|
119
|
-
unless role.rule_set[:can_do].nil?
|
|
120
|
-
if role.rule_set[:can_do] == :anything
|
|
121
|
-
_auth_flag = true
|
|
122
|
-
elsif role.rule_set[:can_do].is_a?(Hash)
|
|
123
|
-
_auth_flag = true if (role.rule_set[:can_do][self.class.name.to_sym] || []).include?(action)
|
|
124
|
-
end
|
|
125
|
-
end
|
|
126
|
-
unless role.rule_set[:cant_do].nil?
|
|
127
|
-
if role.rule_set[:cant_do] == :anything
|
|
128
|
-
_auth_flag = false
|
|
129
|
-
elsif role.rule_set[:cant_do].is_a?(Hash)
|
|
130
|
-
_auth_flag = false if (role.rule_set[:cant_do][self.class.name.to_sym] || []).include?(action)
|
|
131
|
-
end
|
|
132
|
-
end
|
|
133
|
-
_auth_flag
|
|
134
|
-
end
|
|
135
|
-
|
|
136
|
-
def is_zero_authorized_4_save
|
|
137
|
-
zero_authorized_checker(:save)
|
|
138
|
-
end
|
|
139
|
-
|
|
140
|
-
def is_zero_authorized_4_create
|
|
141
|
-
zero_authorized_checker(:create)
|
|
142
|
-
end
|
|
143
|
-
|
|
144
|
-
def is_zero_authorized_4_update
|
|
145
|
-
zero_authorized_checker(:update)
|
|
146
|
-
end
|
|
147
|
-
|
|
148
|
-
def is_zero_authorized_4_destroy
|
|
149
|
-
zero_authorized_checker(:destroy)
|
|
150
|
-
end
|
|
151
|
-
end
|
|
152
|
-
|
|
153
|
-
module ClassMethods
|
|
154
|
-
attr_accessor :authorization_mode
|
|
155
|
-
|
|
156
|
-
def list_of_methods_to_guard
|
|
157
|
-
_model_methods_set = {}
|
|
158
|
-
Role.roles_n_privileges_hash.each do |role_key, permission_value|
|
|
159
|
-
unless permission_value[:can_do].nil?
|
|
160
|
-
_model_methods_set = _model_methods_set.merge(permission_value[:can_do]) { |key, oval, nval| ([oval] << [nval]).flatten.compact.uniq } if permission_value[:can_do].is_a?(Hash)
|
|
161
|
-
end
|
|
162
|
-
unless permission_value[:cant_do].nil?
|
|
163
|
-
_model_methods_set = _model_methods_set.merge(permission_value[:cant_do]) { |key, oval, nval| ([oval] << [nval]).flatten.compact.uniq } if permission_value[:cant_do].is_a?(Hash)
|
|
164
|
-
end
|
|
165
|
-
end
|
|
166
|
-
|
|
167
|
-
(_model_methods_set[self.name.to_sym] || []).clone.delete_if { |x| [:create, :save, :update, :destroy].include?(x) }
|
|
168
|
-
end
|
|
169
|
-
|
|
170
|
-
private
|
|
171
|
-
def initialize_authorization_mode
|
|
172
|
-
@authorization_mode = :strict # :strict, :warning and :superficial
|
|
173
|
-
end
|
|
174
|
-
|
|
175
|
-
# applying restriction on methods TODO 'it will be done by yml'
|
|
176
|
-
def initialize_methods_restriction
|
|
177
|
-
list_of_methods_to_guard.each do |method_name|
|
|
178
|
-
send(:alias_method, "za_#{method_name}", method_name)
|
|
179
|
-
define_method "#{method_name}" do |*args|
|
|
180
|
-
puts 'Restricted method call..'
|
|
181
|
-
send("za_#{method_name}", *args) if zero_authorized_checker(method_name)
|
|
182
|
-
end
|
|
183
|
-
end
|
|
184
|
-
end
|
|
185
|
-
end
|
|
186
|
-
end
|
|
187
|
-
|
|
188
|
-
end
|
|
189
|
-
|
|
6
|
+
require 'zero_authorization/role'
|
|
7
|
+
require 'zero_authorization/engine'
|
|
8
|
+
|
|
9
|
+
#Add these lines in initializer of rails application.
|
|
10
|
+
#Rails.application.eager_load!
|
|
11
|
+
#ActiveRecord::Base.descendants.each do |descendant|
|
|
12
|
+
# descendant.send(:include, ZeroAuthorization::Engine)
|
|
13
|
+
#end
|
data/zero_authorization.gemspec
CHANGED
|
@@ -6,10 +6,10 @@ require 'zero_authorization/version'
|
|
|
6
6
|
Gem::Specification.new do |spec|
|
|
7
7
|
spec.name = "zero_authorization"
|
|
8
8
|
spec.version = ZeroAuthorization::VERSION
|
|
9
|
-
spec.authors = ["Rajeev Kannav Sharma"]
|
|
10
|
-
spec.email = ["rajeevsharma86@gmail.com"]
|
|
11
|
-
spec.description =
|
|
12
|
-
spec.summary =
|
|
9
|
+
spec.authors = ["Rajeev Kannav Sharma", "Praveen Kumar Sinha"]
|
|
10
|
+
spec.email = ["rajeevsharma86@gmail.com", "praveen.kumar.sinha@gmail.com"]
|
|
11
|
+
spec.description = "Functionality to add authorization on Rails model's write operations plus any other set of defined methods."
|
|
12
|
+
spec.summary = "How to setup: Specify what any specific role of current root entity(logged_user) can do/can't do in roles_n_privileges.yml and (re-)boot application."
|
|
13
13
|
spec.homepage = "https://github.com/rajeevkannav/zero_authorization"
|
|
14
14
|
spec.license = "MIT"
|
|
15
15
|
|
|
@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
|
|
|
18
18
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
|
19
19
|
spec.require_paths = ["lib"]
|
|
20
20
|
|
|
21
|
-
spec.add_development_dependency
|
|
22
|
-
spec.add_development_dependency
|
|
23
|
-
spec.add_development_dependency
|
|
21
|
+
spec.add_development_dependency 'bundler', "~> 1.3"
|
|
22
|
+
spec.add_development_dependency 'rake', '~> 0'
|
|
23
|
+
spec.add_development_dependency 'activesupport', '~> 0'
|
|
24
24
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,15 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: zero_authorization
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rajeev Kannav Sharma
|
|
8
|
+
- Praveen Kumar Sinha
|
|
8
9
|
autorequire:
|
|
9
10
|
bindir: bin
|
|
10
11
|
cert_chain: []
|
|
11
|
-
date:
|
|
12
|
+
date: 2014-02-04 00:00:00.000000000 Z
|
|
12
13
|
dependencies:
|
|
13
14
|
- !ruby/object:Gem::Dependency
|
|
14
15
|
name: bundler
|
|
@@ -28,33 +29,35 @@ dependencies:
|
|
|
28
29
|
name: rake
|
|
29
30
|
requirement: !ruby/object:Gem::Requirement
|
|
30
31
|
requirements:
|
|
31
|
-
- -
|
|
32
|
+
- - ~>
|
|
32
33
|
- !ruby/object:Gem::Version
|
|
33
34
|
version: '0'
|
|
34
35
|
type: :development
|
|
35
36
|
prerelease: false
|
|
36
37
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
38
|
requirements:
|
|
38
|
-
- -
|
|
39
|
+
- - ~>
|
|
39
40
|
- !ruby/object:Gem::Version
|
|
40
41
|
version: '0'
|
|
41
42
|
- !ruby/object:Gem::Dependency
|
|
42
43
|
name: activesupport
|
|
43
44
|
requirement: !ruby/object:Gem::Requirement
|
|
44
45
|
requirements:
|
|
45
|
-
- -
|
|
46
|
+
- - ~>
|
|
46
47
|
- !ruby/object:Gem::Version
|
|
47
48
|
version: '0'
|
|
48
49
|
type: :development
|
|
49
50
|
prerelease: false
|
|
50
51
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
52
|
requirements:
|
|
52
|
-
- -
|
|
53
|
+
- - ~>
|
|
53
54
|
- !ruby/object:Gem::Version
|
|
54
55
|
version: '0'
|
|
55
|
-
description:
|
|
56
|
+
description: Functionality to add authorization on Rails model's write operations
|
|
57
|
+
plus any other set of defined methods.
|
|
56
58
|
email:
|
|
57
59
|
- rajeevsharma86@gmail.com
|
|
60
|
+
- praveen.kumar.sinha@gmail.com
|
|
58
61
|
executables: []
|
|
59
62
|
extensions: []
|
|
60
63
|
extra_rdoc_files: []
|
|
@@ -66,10 +69,11 @@ files:
|
|
|
66
69
|
- README.md
|
|
67
70
|
- Rakefile
|
|
68
71
|
- lib/zero_authorization.rb
|
|
72
|
+
- lib/zero_authorization/engine.rb
|
|
69
73
|
- lib/zero_authorization/exceptions.rb
|
|
74
|
+
- lib/zero_authorization/role.rb
|
|
70
75
|
- lib/zero_authorization/version.rb
|
|
71
76
|
- roles_n_privileges.yml
|
|
72
|
-
- roles_n_privileges_1.yml
|
|
73
77
|
- zero_authorization.gemspec
|
|
74
78
|
homepage: https://github.com/rajeevkannav/zero_authorization
|
|
75
79
|
licenses:
|
|
@@ -91,8 +95,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
91
95
|
version: '0'
|
|
92
96
|
requirements: []
|
|
93
97
|
rubyforge_project:
|
|
94
|
-
rubygems_version: 2.
|
|
98
|
+
rubygems_version: 2.1.11
|
|
95
99
|
signing_key:
|
|
96
100
|
specification_version: 4
|
|
97
|
-
summary:
|
|
101
|
+
summary: 'How to setup: Specify what any specific role of current root entity(logged_user)
|
|
102
|
+
can do/can''t do in roles_n_privileges.yml and (re-)boot application.'
|
|
98
103
|
test_files: []
|
data/roles_n_privileges_1.yml
DELETED
|
@@ -1,42 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
:role_root:
|
|
3
|
-
:can_do:
|
|
4
|
-
:User:
|
|
5
|
-
- :update
|
|
6
|
-
- :save
|
|
7
|
-
:cant_do:
|
|
8
|
-
:User:
|
|
9
|
-
- :destroy
|
|
10
|
-
:role_prospect_designer:
|
|
11
|
-
:can_do:
|
|
12
|
-
:BuildingBlock:
|
|
13
|
-
- :create
|
|
14
|
-
- :save
|
|
15
|
-
- :update
|
|
16
|
-
- :destroy
|
|
17
|
-
- :finalize!
|
|
18
|
-
:ParameterGroup:
|
|
19
|
-
- :create
|
|
20
|
-
- :save
|
|
21
|
-
- :update
|
|
22
|
-
- :destroy
|
|
23
|
-
:BlockParameter:
|
|
24
|
-
- :create
|
|
25
|
-
- :save
|
|
26
|
-
- :update
|
|
27
|
-
- :destroy
|
|
28
|
-
:role_plant_engineer:
|
|
29
|
-
:can_do:
|
|
30
|
-
:Recipe:
|
|
31
|
-
- :create
|
|
32
|
-
- :save
|
|
33
|
-
- :update
|
|
34
|
-
- :destroy
|
|
35
|
-
:role_super_user:
|
|
36
|
-
:can_do:
|
|
37
|
-
:Plant:
|
|
38
|
-
- :create
|
|
39
|
-
- :save
|
|
40
|
-
- :update
|
|
41
|
-
- :destroy
|
|
42
|
-
:cant_do: :anything
|