# acl.rbroles do role :guest role :tulper role :owner role :adminen

1. # acl.rb
2.  
3. roles do
4.  
5. role :guest
6. role :tulper
7. role :owner
8. role :admin
9.  
10. end
11.  
12. asserts do
13.  
14. assert :owner, [:user_id] do
15. subject.owner.id == user_id
16. end
17.  
18. assert :not_owner, [:user_id] do
19. subject.owner.id != user_id
20. end
21.  
22. end
23.  
24. resource "BusinessController" do
25.  
26. privilege :show
27.  
28. privilege :edit do
29. # указываем роль, т.к. guest также не является владельцем
30. pass :not_owner, [:tulper]
31. end
32.  
33. privilege :update do
34. pass :not_owner, [:tupler]
35. end
36.  
37. end
38.  
39. resource "Owners::BusinessController" do
40.  
41. privilege :show do
42. pass :owner
43. end
44.  
45. privilege :edit do
46. pass :owner
47. end
48.  
49. privilege :update do
50. pass :owner
51. end
52.  
53. end
54.  
55. # types/business.rb
56.  
57. resource "Business" do
58.  
59. type :create do
60. attr_accessible :name, :city, :contact
61. end
62.  
63. type :edit do
64. # Do not list city attr.
65. attr_accessible :name
66. attr_accessible :name, :credit_rating, :as => :admin
67.  
68. #def assign_attributes(values, options = {})
69. # sanitize_for_mass_assignment(values, options[:as]).each do |k, v|
70. # send("#{k}=", v)
71. # end
72. #end
73. end
74.  
75.  
76. end
77.  
78. # policies/busnesses.rb
79.  
80. roles do
81.  
82. role :admin
83. role :tulper
84.  
85. role :bulb
86. role :flower
87. role :bouquet
88.  
89. end
90.  
91. asserts do
92.  
93. assert :allowed_attrs, [:disallow_attrs] do
94. (subject.changed & disallow_attrs.map(&:to_s)).empty?
95. end
96.  
97. end
98.  
99. resource "Business" do
100.  
101. privilege :update do
102.  
103. pass [:creator, :not_approved], [:tulper]
104. pass :allowed_attrs, [:tulper], disallow_attrs: [:name]
105.  
106. end
107.  
108. end
109.  
110. #access_schema_helper.rb
111.  
112. class AccessSchemaHelper
113.  
114. # before_filter { required! :reviews, :delete }
115. #
116.  
117. def required!(route_method, action = nil, options = {})
118.  
119. url_options = send "hash_for_#{route_method}_path"
120. resource = "#{url_options[:controller].to_s.camelize}Controller"
121.  
122. privilege = action || url_options[:action]
123. acl.require! resource, privilege, options
124.  
125. end
126.  
127. # - if can? :reviews, :delete, :subject => review
128. # = link_to "Delete", review_path(review)
129.  
130. def can?(*args)
131. required!(*args)
132. rescue AccessSchema::NotAllowed => e
133. false
134. else
135. true
136. end
137.  
138. def acl
139.  
140. AccessSchema.schema(:acl).with_options({
141. roles: current_roles,
142. user_id: current_user.try(:id)
143. })
144.  
145. end
146.  
147. # Use in controllers and views
148. # tarifF plans or other domain logic policies
149. #
150. # policy.allow? review, :add_photo
151. #
152.  
153.  
154. def policy
155.  
156. # Policy have to check actor roles and subject owner state (tariff plans for example)
157. # to evaluate permission. So we pass proc and deal with particular subject to
158. # calculate roles.
159. #
160. roles_calculator = proc do |options|
161.  
162. plan = options[:subject].try(:owner).try(:plan)
163. plan ||= [ current_user.try(:plan) || :none ]
164. current_roles | plan
165.  
166. end
167.  
168. AccessSchema.schema(:policy).with_options({
169. roles: roles_calculator,
170. user_id: current_user.try(:id)
171. })
172.  
173. end
174.  
175. end
176.  
177. # controllers/businesses_controller.rb
178.  
179. class BusinessesController < ApplicationController
180.  
181. before_filter only: [:show, :index] do
182. required! :onwers_businesses
183. end
184.  
185. before_filter only: [:new, :create, :edit, :update] do
186. required! :onwers_businesses, subject: business_form
187. end
188.  
189. def show
190. @business = W::Business.find(params[:id])
191. end
192.  
193. def index
194. @businesses = W::Business.order(:rank).all
195. end
196.  
197. def new
198. @business = business_form
199. end
200.  
201. def create
202. @business = business_form
203. @business.attributes = params[:business]
204. # при создании бизнеса нет каких то особых правил, которые
205. # необходимо выносить в policy
206.  
207. if @business.save
208. redirect_to @business
209. else
210. render :edit
211. end
212. end
213.  
214. def edit
215. @business = business_form
216. end
217.  
218. def update
219. @business = business_form
220. @business.attributes = params[:business]
221. policy.require! @business, :update # AR::Dirty
222.  
223. if @business.save
224. redirect_to @business
225. else
226. render :edit
227. end
228. end
229.  
230. private
231.  
232. def business_type(type)
233. FormFactory.build(Business, type)
234. end
235.  
236. def business_form
237. @business_form ||= begin
238. if params[:id].present?
239. business_type(:edit).find(params[:id])
240. else
241. business_type(:create).new
242. end
243. end
244. end
245.  
246. end
247.  
248. # controllers/owners/businesses_controller.rb
249.  
250. class Owners::BusinessesController < Owners::ApplicationController
251.  
252. before_filter only: [:show] do
253. required! :onwers_businesses
254. end
255.  
256. before_filter only: [:edit, :update] do
257. required! :onwers_businesses, subject: business_form
258. end
259.  
260.  
261. def show
262. @business = W::Business.find(params[:id])
263. end
264.  
265. def edit
266. @business = business_form
267. end
268.  
269. def update
270. @business = business_form
271. @business.attributes = params[:business]
272.  
273. if @business.save
274. redirect_to @business
275. else
276. render :edit
277. end
278. end
279.  
280.  
281. private
282.  
283. def business_form
284. @business_form ||= FormFactory.build(Business, :edit).find(params[:id])
285. end
286.  
287. end
288.  
289.  
290. # services/business_service.rb
291.  
292. class BusinessService < Services::Base
293.  
294. def update_as_owner(business_id, attrs, options)
295.  
296. @business = FormFactory.build(Business, :edit_as_owner).find(business_id)
297. @business.attributes = attrs
298.  
299. policy(options[:actor]).require! @business, :update
300.  
301. @business.save!
302.  
303. end
304.  
305. end