Privilege # ensure that Privilege class is loaded# This module provides acce

1. Privilege # ensure that Privilege class is loaded
2.  
3. # This module provides access control behavior to ActiveRecord models.
4. # The class into which it is included must provide a '#client' method
5. # the result of which will be used as the context for authorization
6. # checks.
7. module AccessControl
8.  
9. # Indicates if +an_account+ is allowed to know of the existence of this
10. # object.
11. def visible_to?(an_account)
12. raise NotImplementedError
13. end
14.  
15. # Indicates if +an_account+ should allowed to create this object.
16. # This should be called before calling +#save+ on a new model object
17. # and the save should be performed only if true is returned.
18. def creatable_by?(an_account)
19. raise NotImplementedError
20. end
21.  
22. # Indicates if +an_account+ should be allowed to modify this object.
23. # This should before performing any actions which result in the
24. # database being updated. Such action should only be performed if
25. # true is returned.
26. def modifiable_by?(an_account)
27. raise NotImplementedError
28. end
29.  
30. def self.included(a_class)
31. a_class.extend(ActiveRecordClassMethods)
32.  
33. a_class.send(:visibility_privilege, "view_#{a_class.name.underscore}")
34. a_class.send(:creation_privilege, "create_#{a_class.name.underscore}")
35. a_class.send(:modification_privilege, "modify_#{a_class.name.underscore}")
36. end
37.  
38. module ActiveRecordClassMethods
39. protected
40.  
41. # Declares that object of the class on which this is called are
42. # visible to users that have the specified privilege.
43. def visibility_privilege(privilege_name)
44. define_method(:visible_to?) do |an_account|
45. an_account.has_privilege_at?(privilege_name, client)
46. end
47. end
48.  
49. # Declares that objects of this class are creatable by accounts who
50. # hold the +privilege+ at the client which owns this resource.
51. def creation_privilege(privilege_name)
52. define_method(:creatable_by?) do |an_account|
53. an_account.has_privilege_at?(privilege_name, client)
54. end
55. (class << self; self; end).instance_eval do
56. define_method(:creatable_by?) do |an_account|
57. !an_account.clients_at_which_account_has(Privilege(privilege_name)).empty?
58. end
59. end
60. end
61.  
62. # Declares that objects of this class are modifiable by accounts
63. # who hold the +privilege+ at the client which owns this resource.
64. def modification_privilege(privilege_name)
65. define_method(:modifiable_by?) do |an_account|
66. an_account.has_privilege_at?(privilege_name, client)
67. end
68. end
69.  
70. # Adds optional +:visible_to => an_account+ option to +#find(:all,
71. # options)+. This option will exclude any objects which are not
72. # visible to the specified account from the returned collection.
73. def find_every_with_visible_to_handling(options)
74. if account = options[:visible_to]
75. find_every_without_visible_to_handling(options).select {|rec| rec.visible_to?(account)}
76. else
77. find_every_without_visible_to_handling(options)
78. end
79. end
80.  
81. # Validates that the options passed to +#find()+ are all valid
82. # options
83. def validate_find_options(options)
84. options.assert_valid_keys((class << ::ActiveRecord::Base; self; end)::VALID_FIND_OPTIONS + [:visible_to])
85. end
86.  
87. def self.extended(ar_class)
88. (class << ar_class; self; end).alias_method_chain :find_every, :visible_to_handling
89. end
90. end
91.  
92. end