Module: Lockdown::Rules

Included in:

System

Defined in:

lib/lockdown/rules.rb

Instance Attribute Summary

• #options ⇒ Object

  Returns the value of attribute options.

• #permission_objects ⇒ Object readonly

  Returns the value of attribute permission_objects.

• #permissions ⇒ Object

  Returns the value of attribute permissions.

• #protected_access ⇒ Object readonly

  Returns the value of attribute protected_access.

• #public_access ⇒ Object readonly

  Returns the value of attribute public_access.

• #user_groups ⇒ Object

  Returns the value of attribute user_groups.

Instance Method Summary

• #access_rights_for_permission(perm) ⇒ Object

  Return array of controller/action for a permission.

• #access_rights_for_user(usr) ⇒ Object

  Return array of controller/action values user can access.

• #administrator?(usr) ⇒ Boolean

  Test user for administrator rights.

• #get_permissions ⇒ Object

  Returns array of permission names as symbols.

• #get_user_groups ⇒ Object

  Returns array of user group names as symbols.

• #make_user_administrator(usr) ⇒ Object

  Pass in a user object to be associated to the administrator user group The group will be created if it doesn’t exist.

• #permission_assigned_automatically?(permmision_symbol) ⇒ Boolean

  These permissions are assigned by the system.

• #permission_exists?(permission_symbol) ⇒ Boolean (also: #has_permission?)

  Is the permission defined?.

• #permissions_assignable_for_user(usr) ⇒ Object

  Similar to user_groups_assignable_for_user, this method should be used to restrict users from creating a user group with more power than they have been allowed.

• #permissions_for_user_group(ug) ⇒ Object

  Returns and array of permission symbols for the user group.

• #process_rules ⇒ Object
• #protected_access?(permmision_symbol) ⇒ Boolean

  returns true if the permission is public.

• #public_access?(permmision_symbol) ⇒ Boolean

  returns true if the permission is public.

• #set_defaults ⇒ Object
• #set_permission(name) ⇒ Object

  Creates new permission object Refer to the Permission object for the full functionality.

• #set_protected_access(*perms) ⇒ Object

  Defines protected access by the permission symbols.

• #set_public_access(*perms) ⇒ Object

  Defines public access by the permission symbols.

• #set_user_group(name, *perms) ⇒ Object

  Define a user groups by name and permission symbol(s).

• #standard_authorized_user_rights ⇒ Object

  Returns array of controller/action values all logged in users can access.

• #user_group_exists?(user_group_symbol) ⇒ Boolean (also: #has_user_group?)

  Is the user group defined? The :administrators user group always exists.

• #user_groups_assignable_for_user(usr) ⇒ Object

  Use this for the management screen to restrict user group list to the user.

• #user_has_user_group?(usr, sym) ⇒ Boolean

  Pass in user object and symbol for name of user group.

Instance Attribute Details

#options ⇒ Object

Returns the value of attribute options.

# File 'lib/lockdown/rules.rb', line 5

def options
  @options
end

#permission_objects ⇒ Object (readonly)

Returns the value of attribute permission_objects.

# File 'lib/lockdown/rules.rb', line 12

def permission_objects
  @permission_objects
end

#permissions ⇒ Object

Returns the value of attribute permissions.

# File 'lib/lockdown/rules.rb', line 6

def permissions
  @permissions
end

#protected_access ⇒ Object (readonly)

Returns the value of attribute protected_access.

# File 'lib/lockdown/rules.rb', line 9

def protected_access
  @protected_access
end

#public_access ⇒ Object (readonly)

Returns the value of attribute public_access.

# File 'lib/lockdown/rules.rb', line 10

def public_access
  @public_access
end

#user_groups ⇒ Object

Returns the value of attribute user_groups.

# File 'lib/lockdown/rules.rb', line 7

def user_groups
  @user_groups
end

Instance Method Details

#access_rights_for_permission(perm) ⇒ Object

Return array of controller/action for a permission

# File 'lib/lockdown/rules.rb', line 187

def access_rights_for_permission(perm)
  sym = Lockdown.get_symbol(perm)

  permissions[sym]
rescue 
  raise SecurityError, "Permission requested is not defined: #{sym}"
end

#access_rights_for_user(usr) ⇒ Object

Return array of controller/action values user can access.

# File 'lib/lockdown/rules.rb', line 171

def access_rights_for_user(usr)
  return unless usr
  return :all if administrator?(usr)

  rights = standard_authorized_user_rights
    
  user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
  user_groups.each do |grp|
    permissions_for_user_group(grp).each do |perm|
      rights += access_rights_for_permission(perm) 
    end
  end
  rights
end

#administrator?(usr) ⇒ Boolean

Test user for administrator rights

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 197

def administrator?(usr)
  user_has_user_group?(usr, Lockdown.administrator_group_symbol)
end

#get_permissions ⇒ Object

Returns array of permission names as symbols

# File 'lib/lockdown/rules.rb', line 112

def get_permissions
  permissions.keys
end

#get_user_groups ⇒ Object

Returns array of user group names as symbols

# File 'lib/lockdown/rules.rb', line 139

def get_user_groups
  user_groups.keys
end

#make_user_administrator(usr) ⇒ Object

Pass in a user object to be associated to the administrator user group The group will be created if it doesn’t exist

# File 'lib/lockdown/rules.rb', line 158

def make_user_administrator(usr)
  user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
  user_groups << Lockdown.user_group_class.
    find_or_create_by_name(Lockdown.administrator_group_string)
end

#permission_assigned_automatically?(permmision_symbol) ⇒ Boolean

These permissions are assigned by the system

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 134

def permission_assigned_automatically?(permmision_symbol)
  public_access?(permmision_symbol) || protected_access?(permmision_symbol)
end

#permission_exists?(permission_symbol) ⇒ Boolean Also known as: has_permission?

Is the permission defined?

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 117

def permission_exists?(permission_symbol)
  get_permissions.include?(permission_symbol)
end

#permissions_assignable_for_user(usr) ⇒ Object

Similar to user_groups_assignable_for_user, this method should be used to restrict users from creating a user group with more power than they have been allowed.

# File 'lib/lockdown/rules.rb', line 238

def permissions_assignable_for_user(usr)
  return [] if usr.nil?
  if administrator?(usr)
    get_permissions.collect do |k| 
      ::Permission.find_by_name(Lockdown.get_string(k))
    end.compact
  else
    user_groups_assignable_for_user(usr).collect do |g| 
      g.permissions
    end.flatten.compact
  end
end

#permissions_for_user_group(ug) ⇒ Object

Returns and array of permission symbols for the user group

# File 'lib/lockdown/rules.rb', line 252

def permissions_for_user_group(ug)
  sym = Lockdown.get_symbol(ug)
  perm_array = []  

  if has_user_group?(sym)
    permissions = user_groups[sym] || []
  else
    permissions = ug.permissions
  end


  permissions.each do |perm|
    perm_sym = Lockdown.get_symbol(perm)

    unless permission_exists?(perm_sym)
      msg = "Permission associated to User Group is invalid: #{perm}"
      raise SecurityError, msg
    end

    perm_array << perm_sym
  end

  perm_array 
end

#process_rules ⇒ Object

# File 'lib/lockdown/rules.rb', line 277

def process_rules
  parse_permissions
  validate_user_groups
end

#protected_access?(permmision_symbol) ⇒ Boolean

returns true if the permission is public

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 129

def protected_access?(permmision_symbol)
  protected_access.include?(permmision_symbol)
end

#public_access?(permmision_symbol) ⇒ Boolean

returns true if the permission is public

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 124

def public_access?(permmision_symbol)
  public_access.include?(permmision_symbol)
end

#set_defaults ⇒ Object

# File 'lib/lockdown/rules.rb', line 14

def set_defaults
  @permissions  = {}
  @user_groups  = {}
  @options      = {}

  @permission_objects = {}

  @controller_classes = []
  @public_access      = []
  @protected_access   = []

  @options = {
    :session_timeout => (60 * 60),
    :who_did_it => :current_user_id,
    :default_who_did_it => 1,
    :logout_on_access_violation => false,
    :access_denied_path_authenticated => nil,
    :access_denied_path_public => nil,
    :access_denied_path => "/",
    :successful_login_path => "/",
    :subdirectory => nil,
    :skip_db_sync_in => ["test"],
    :link_separator => ' | '
  }

  begin
    @options[:user_group_model] = "UserGroup"
  rescue NameError 
  end

  begin
    @options[:user_model] = "User" 
  rescue NameError 
  end
  
end

#set_permission(name) ⇒ Object

Creates new permission object

Refer to the Permission object for the full functionality

# File 'lib/lockdown/rules.rb', line 57

def set_permission(name)
  @permission_objects[name] = Lockdown::Permission.new(name)
end

#set_protected_access(*perms) ⇒ Object

Defines protected access by the permission symbols

Example

set_public_access(:permission_one, :permission_two)

# File 'lib/lockdown/rules.rb', line 83

def set_protected_access(*perms)
  perms.each do |perm_symbol|
    perm = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
    if perm
      perm[1].set_as_protected_access 
    else
      msg = "Permission not found: #{perm_symbol}"
      raise InvalidRuleAssigment, msg
    end
  end
end

#set_public_access(*perms) ⇒ Object

Defines public access by the permission symbols

Example

set_public_access(:permission_one, :permission_two)

# File 'lib/lockdown/rules.rb', line 66

def set_public_access(*perms)
  perms.each do |perm_symbol|
    perm = permission_objects.find{|name, pobj| pobj.name == perm_symbol}
    if perm
      perm[1].set_as_public_access 
    else
      msg = "Permission not found: #{perm_symbol}"
      raise InvalidRuleAssigment, msg
    end
  end
end

#set_user_group(name, *perms) ⇒ Object

Define a user groups by name and permission symbol(s)

Example

set_user_group(:managment_group, :permission_one, :permission_two)

# File 'lib/lockdown/rules.rb', line 100

def set_user_group(name, *perms)
  user_groups[name] ||= []
  perms.each do |perm|
    user_groups[name].push(perm)
  end
end

#standard_authorized_user_rights ⇒ Object

Returns array of controller/action values all logged in users can access.

# File 'lib/lockdown/rules.rb', line 166

def standard_authorized_user_rights
  public_access + protected_access 
end

#user_group_exists?(user_group_symbol) ⇒ Boolean Also known as: has_user_group?

Is the user group defined?

The :administrators user group always exists

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 145

def user_group_exists?(user_group_symbol)
  return true if user_group_symbol == Lockdown.administrator_group_symbol
  get_user_groups.include?(user_group_symbol)
end

#user_groups_assignable_for_user(usr) ⇒ Object

Use this for the management screen to restrict user group list to the user. This will prevent a user from creating a user with more power than him/her self.

# File 'lib/lockdown/rules.rb', line 212

def user_groups_assignable_for_user(usr)
  return [] if usr.nil?
  ug_table = Lockdown.user_groups_hbtm_reference.to_s
  if administrator?(usr)
    Lockdown.user_group_class.find_by_sql <<-SQL
      select #{ug_table}.* from #{ug_table} order by #{ug_table}.name
    SQL
  else
    usr_table = Lockdown.users_hbtm_reference.to_s
    if usr_table < ug_table
      join_table = "#{usr_table}_#{ug_table}"
    else
      join_table = "#{ug_table}_#{usr_table}"
    end
    Lockdown.user_group_class.find_by_sql <<-SQL
        select #{ug_table}.* from #{ug_table}, #{join_table}
         where #{ug_table}.id = #{join_table}.#{Lockdown.user_group_id_reference}
         and #{join_table}.#{Lockdown.user_id_reference} = #{usr.id}	 
         order by #{ug_table}.name
    SQL
  end
end

#user_has_user_group?(usr, sym) ⇒ Boolean

Pass in user object and symbol for name of user group

Returns:

• (Boolean)

# File 'lib/lockdown/rules.rb', line 202

def user_has_user_group?(usr, sym)
  user_groups = usr.send(Lockdown.user_groups_hbtm_reference)
  user_groups.any? do |ug|
    Lockdown.convert_reference_name(ug.name) == sym
  end
end