| Class | Permission |
| In: |
app/models/permission.rb
|
| Parent: | ActiveRecord::Base |
| WILDCARD_CLASSES | = | %W(User Role Firm | HACK: Names of classes that the UI will present as possible values for an ‘any’ class. NB that other classes will still work programmatically … |
Returns true if this permission grants the given user (of the given firm) the privilege op on obj.
# File app/models/permission.rb, line 152
152: def allows?( obj, priv, user )
153:
154: return false if obj.class.name != self.class_name
155: return false if self.privilege != :any && self.privilege != priv
156: return false if self.is_grant
157: return allows_internal?( obj, user )
158:
159: end
Returns true if this permission can grant the other_perm. That is, if my_grant_perm.can_grant?( other_perm ), and the user has my_grant_perm, they can add other_perm to a role.
# File app/models/permission.rb, line 194
194: def can_grant?( other_perm )
195:
196: return false if !self.is_grant
197: return false if !self.has_grant_option && other_perm.is_grant
198: return false if self.target_owned_by_self &&
199: !other_perm.target_owned_by_self
200:
201: return false if self.class_name != 'any' &&
202: self.class_name != other_perm.class_name
203: return false if self.privilege != :any &&
204: self.privilege != other_perm.privilege
205:
206: self.class.target_access_control_keys.each do |attr|
207: return false if !self.send( attr ).nil? &&
208: self.send( attr ) != other_perm.send( attr )
209: end
210:
211: return true
212:
213: end
Textual description of access granted by this permission. (XXX This routine knows all the access control keys, and must be updated for a new one.)
# File app/models/permission.rb, line 223
223: def description
224:
225: desc = ''
226:
227: if is_grant? && has_grant_option?
228: desc += 'grant permission (with grant option) to '
229: elsif is_grant?
230: desc += 'grant permission to '
231: end
232:
233: if privilege == :any
234: desc += 'take any action on '
235: else
236: desc += privilege.to_s + ' '
237: end
238:
239: if target_paid == true
240: desc += 'paid '
241: elsif target_paid == false
242: desc += 'unpaid '
243: end
244:
245: if class_name == 'any'
246: desc += 'anything '
247: elsif target_name != nil
248: desc += class_name.downcase + ' '
249: else
250: desc += class_name.downcase.pluralize + ' '
251: end
252:
253: restrictions = []
254: restrictions << "owned by grantee" if target_owned_by_self
255: restrictions << "owned by #{target_owner.name}" unless target_owner.nil?
256: restrictions << "of firm #{target_owner_firm.name}" unless
257: target_owner_firm.nil?
258: restrictions << '"' + target_name + '"' unless target_name.nil?
259:
260: desc + restrictions.join(', ')
261:
262: end
Pseudo-attribute for granting privileges on particular objects.
# File app/models/permission.rb, line 125
125: def target
126: if target_id.nil?
127: return nil
128: end
129: return target_class.find( target_id )
130: end
# File app/models/permission.rb, line 132
132: def target=( obj )
133:
134: if obj.nil?
135: self.target_id = nil
136: self.target_name = nil
137: return
138: end
139:
140: if obj.class.name != self.class_name
141: raise ArgumentError, "#{obj.class.name} was not a #{self.class.name}"
142: end
143:
144: self.target_id = obj.id
145: self.target_name = obj.respond_to?( :name ) ? obj.name : nil
146:
147: end
Pseudo-attribute: the class on which this permission grants privileges. Returns the class object, not the name (that is, Blog, not ‘Blog’).
(This is a settable facade attribute; setting it to a class object, viz: "perm.target = Blog", sets the class_name attribute as well).
# File app/models/permission.rb, line 106
106: def target_class
107:
108: if class_name.nil?; return nil; end
109:
110: klass = class_name.constantize
111: if klass.nil? || !klass.is_a?( Class )
112: raise NameError, "#{class_name} is not the name of a class"
113: end
114:
115: return klass
116:
117: end
# File app/models/permission.rb, line 119
119: def target_class=( klass )
120: self.class_name = klass.nil? ? nil : klass.name
121: end
Sort key; may be helpful for presentation…
# File app/models/permission.rb, line 266
266: def ui_sort_order
267: (self.is_grant? ? 'T' : 'F') + self.class_name + ' ' + self.privilege.to_s
268: end
# File app/models/permission.rb, line 71
71: def validate
72:
73: class_name_ok = false
74:
75: begin
76: class_name_ok = (class_name.constantize.is_a? Class) if !class_name.nil?
77: rescue NameError
78: class_name_ok = false
79: end
80:
81: if !class_name_ok
82: errors.add :class_name, "is not the name of an access-controlled class"
83: end
84:
85: if class_name_ok
86: klass = class_name.constantize
87: if !klass.respond_to?( :declared_privileges )
88: errors.add :class_name, "is not the name of an access-controlled class"
89: else
90: privileges = class_name.constantize.declared_privileges
91: if !privileges.include?( privilege ) && privilege != :any
92: errors.add :privilege, "is not a permission on #{class_name}"
93: end
94: end
95: end
96:
97: end