Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Privilege # ensure that Privilege class is loaded
- # This module provides access control behavior to ActiveRecord models.
- # The class into which it is included must provide a '#client' method
- # the result of which will be used as the context for authorization
- # checks.
- module AccessControl
- # Indicates if +an_account+ is allowed to know of the existence of this
- # object.
- def visible_to?(an_account)
- raise NotImplementedError
- end
- # Indicates if +an_account+ should allowed to create this object.
- # This should be called before calling +#save+ on a new model object
- # and the save should be performed only if true is returned.
- def creatable_by?(an_account)
- raise NotImplementedError
- end
- # Indicates if +an_account+ should be allowed to modify this object.
- # This should before performing any actions which result in the
- # database being updated. Such action should only be performed if
- # true is returned.
- def modifiable_by?(an_account)
- raise NotImplementedError
- end
- def self.included(a_class)
- a_class.extend(ActiveRecordClassMethods)
- a_class.send(:visibility_privilege, "view_#{a_class.name.underscore}")
- a_class.send(:creation_privilege, "create_#{a_class.name.underscore}")
- a_class.send(:modification_privilege, "modify_#{a_class.name.underscore}")
- end
- module ActiveRecordClassMethods
- protected
- # Declares that object of the class on which this is called are
- # visible to users that have the specified privilege.
- def visibility_privilege(privilege_name)
- define_method(:visible_to?) do |an_account|
- an_account.has_privilege_at?(privilege_name, client)
- end
- end
- # Declares that objects of this class are creatable by accounts who
- # hold the +privilege+ at the client which owns this resource.
- def creation_privilege(privilege_name)
- define_method(:creatable_by?) do |an_account|
- an_account.has_privilege_at?(privilege_name, client)
- end
- (class << self; self; end).instance_eval do
- define_method(:creatable_by?) do |an_account|
- !an_account.clients_at_which_account_has(Privilege(privilege_name)).empty?
- end
- end
- end
- # Declares that objects of this class are modifiable by accounts
- # who hold the +privilege+ at the client which owns this resource.
- def modification_privilege(privilege_name)
- define_method(:modifiable_by?) do |an_account|
- an_account.has_privilege_at?(privilege_name, client)
- end
- end
- # Adds optional +:visible_to => an_account+ option to +#find(:all,
- # options)+. This option will exclude any objects which are not
- # visible to the specified account from the returned collection.
- def find_every_with_visible_to_handling(options)
- if account = options[:visible_to]
- find_every_without_visible_to_handling(options).select {|rec| rec.visible_to?(account)}
- else
- find_every_without_visible_to_handling(options)
- end
- end
- # Validates that the options passed to +#find()+ are all valid
- # options
- def validate_find_options(options)
- options.assert_valid_keys((class << ::ActiveRecord::Base; self; end)::VALID_FIND_OPTIONS + [:visible_to])
- end
- def self.extended(ar_class)
- (class << ar_class; self; end).alias_method_chain :find_every, :visible_to_handling
- end
- end
- end
Add Comment
Please, Sign In to add comment