Module: Strongbolt::UserAbilities::InstanceMethods

Defined in:

lib/strongbolt/user_abilities.rb

Instance Method Summary

• #add_tenant(tenant) ⇒ Object

  Adds a managed tenant to the user.

• #can?(action, instance, attrs = :any, all_instance = false) ⇒ Boolean

  Main method for user, used to check whether the user is authorized to perform a certain action on an instance/class.

• #cannot?(*args) ⇒ Boolean

  Convenient method.

• #capabilities ⇒ Object

  ———————————————————-# # Returns all the user’s capabilities plus inherited ones # # ———————————————————-#.

• #owns?(instance) ⇒ Boolean

  Checks if the user owns the instance given.

Instance Method Details

#add_tenant(tenant) ⇒ Object

Adds a managed tenant to the user

# File 'lib/strongbolt/user_abilities.rb', line 23

def add_tenant(tenant)
  sing_tenant_name = tenant.class.name.demodulize.underscore
  send("users_#{sing_tenant_name.pluralize}").create! sing_tenant_name => tenant
  # users_tenants.create! tenant: tenant
end

#can?(action, instance, attrs = :any, all_instance = false) ⇒ Boolean

Main method for user, used to check whether the user is authorized to perform a certain action on an instance/class

Returns:

• (Boolean)

# File 'lib/strongbolt/user_abilities.rb', line 33

def can?(action, instance, attrs = :any, all_instance = false)
  without_grant do
    # Get the actual instance if we were given AR
    instance = instance.try(:first) if instance.is_a?(ActiveRecord::Relation)
    return false if instance.nil?

    # We require this to be an *existing* user, that the action and attribute be symbols
    # and that the instance is a class or a String
    raise ArgumentError, 'Action must be a symbol and instance must be Class, String, Symbol or AR' unless self.id.present? && action.is_a?(Symbol) &&
                                                                                                           (instance.is_a?(ActiveRecord::Base) || instance.is_a?(Class) || instance.is_a?(String)) && attrs.is_a?(Symbol)

    # Pre-populate all the capabilities into a results cache for quick lookup. Permissions for all "non-owned" objects are
    # immediately available; additional lookups are required for owned objects (e.g. User, CheckoutBag, etc.).
    # The results cache key is formatted as "action model attribute" (attribute can be any, all or an actual attribute)
    # -any, all, an ID, or "owned" (if the ID will be verified later) is appended to the key based on which instances
    # a user has access to
    populate_capabilities_cache unless @results_cache.present?
    # Determine the model name and the actual model (if we need to traverse the hierarchy)
    if instance.is_a?(ActiveRecord::Base)
      model = instance.class
      model_name = model.send(:name_for_authorization)
    elsif instance.is_a?(Class)
      model = instance
      model_name = model.send(:name_for_authorization)
    else
      model = nil # We could do model_name.constantize, but there's a big cost to doing this
      # if we don't need it, so just defer until we determine there's an actual need
      model_name = instance
    end

    # Look up the various possible valid entries in the cache that would allow us to see this
    return capability_in_cache?(action, instance, model_name, attrs, all_instance)
  end # end w/o grant
end

#cannot?(*args) ⇒ Boolean

Convenient method

Returns:

• (Boolean)

# File 'lib/strongbolt/user_abilities.rb', line 71

def cannot?(*args)
  !can?(*args)
end

#capabilities ⇒ Object

———————————————————-#

                                                        #
Returns all the user's capabilities plus inherited ones #
                                                        #

———————————————————-#

# File 'lib/strongbolt/user_abilities.rb', line 12

def capabilities
  @capabilities_cache ||= Strongbolt::Capability.unscoped.joins(:roles)
                                                .joins('INNER JOIN strongbolt_roles as children_roles ON strongbolt_roles.lft <= children_roles.lft AND children_roles.rgt <= strongbolt_roles.rgt')
                                                .joins('INNER JOIN strongbolt_roles_user_groups rug ON rug.role_id = children_roles.id')
                                                .joins('INNER JOIN strongbolt_user_groups_users ugu ON ugu.user_group_id = rug.user_group_id')
                                                .where('ugu.user_id = ?', self.id).distinct.to_a.concat(Strongbolt.default_capabilities)
end

#owns?(instance) ⇒ Boolean

Checks if the user owns the instance given

Returns:

• (Boolean)

Raises:

• (ArgumentError)

# File 'lib/strongbolt/user_abilities.rb', line 78

def owns?(instance)
  raise ArgumentError unless instance.is_a?(Object) && !instance.is_a?(Class)
  # If the user id is set, does this (a) user id match the user_id field of the instance
  # or (b) if this is a User instance, does the user id match the instance id?
  key = instance.is_a?(User) ? :id : :user_id
  !id.nil? && instance.try(key) == id
end