# encoding: utf-8module Application::AuthFilters def self.included(base

1. # encoding: utf-8
2.  
3. module Application::AuthFilters
4.  
5. def self.included(base)
6. base.class_eval do
7. protect_from_forgery
8.  
9. before_filter :verify_site_access
10. before_filter :set_current_account_for_model_security
11.  
12. helper_method :current_user, :me?, :admin?, :can?, :cannot?
13.  
14. filter_parameter_logging :password, :password_confirmation
15. end
16. end
17.  
18. protected
19.  
20. # Authentication-filter: Before-hook to verify site access using HTTP Basic Authentication.
21. # Used for hiding/restricting development/unstable versions of the site,
22. # i.e. "staging" versions.
23. #
24. def verify_site_access
25. # Make non-production environments hidden for public.
26. if ::Settings.security.enabled && ::Settings.security.environments.present?
27. if ::Settings.security.environments.any? { |env| ::Rails.env?(env.to_sym) rescue false }
28. authenticate_or_request_with_http_basic do |login, password|
29. login == ::Settings.security.site_access.login &&
30. password == ::Settings.security.site_access.pass
31. end
32. end
33. end
34. end
35.  
36. # Authorization-filter: For model security maintenance.
37. #
38. # See "declarative_authorization" documentation for more info.
39. #
40. def set_current_account_for_model_security
41. ::Authorization.current_user = current_user
42. end
43.  
44. # Authorization-hook: Permission denied, i.e. user not authorized.
45. #
46. # See "declarative_authorization" documentation for more info.
47. #
48. def permission_denied
49. respond_to do |format|
50. flash[:failure] = ::I18n.t(:not_allowed, [:flash, :accounts, :errors])
51. format.html do
52. begin
53. if current_account
54. redirect_to :back
55. else
56. redirect_to login_path
57. end
58. rescue
59. redirect_to root_path
60. end
61. end
62. format.xml { head :unauthorized }
63. format.js { head :unauthorized }
64. end
65. end
66.  
67. # Helper: alias :current_user :current
68. #
69. def current_user
70. current_account
71. end
72.  
73. # Helper: Is current user?
74. #
75. # == Usage/Examples:
76. #
77. # me?(current_user) # => true
78. # me?(User.new) # => false
79. #
80. def me?(subject)
81. subject == current_user
82. end
83.  
84. # Helper: Is current user admin?
85. #
86. # == Usage/Examples:
87. #
88. # admin? # => admin?(current_user) => false
89. # admin?(User.new) # => false
90. # current_user.assign_role!(:admin) #
91. # admin?(User.new) # => false
92. #
93. def admin?(subject = current_user)
94. subject && subject.respond_to?(:has_role?) && subject.has_role?(:admin)
95. end
96.  
97. # Helper: Is the current user authorized to do X?
98. #
99. # == Usage/Examples:
100. #
101. # can?(:new, Post)
102. # can?(:edit, Post)
103. # can?(:edit, @post)
104. #
105. # See/Manage authorization rules in: +config/authorization_rules.rb+
106. #
107. def can?(*args)
108. permitted_to?(*args)
109. end
110.  
111. # Helper: Opposite of +can?+.
112. #
113. # == Usage/Examples:
114. #
115. # cannot?(:new, Post)
116. # cannot?(:edit, Post)
117. # cannot?(:edit, @post)
118. #
119. # See/Manage authorization rules in: +config/authorization_rules.rb+
120. #
121. def cannot?(*args)
122. !can?(*args)
123. end
124.  
125. end