/
declarative_authorization.yml
146 lines (104 loc) · 3.42 KB
/
declarative_authorization.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
declarative_authorization: |-
Controllers
class EmployeesController < ApplicationController
filter_resource_access
...
end
class EmployeesController < ApplicationController
filter_access_to :all
def index
...
end
...
end
class EmployeesController < ApplicationController
filter_access_to :all
# this one would be included in :all, but :read seems to be
# a more suitable privilege than :auto_complete_for_user_name
filter_access_to :auto_complete_for_employee_name, :require => :read
def auto_complete_for_employee_name
...
end
...
end
class EmployeesController < ApplicationController
filter_access_to :update, :attribute_check => true
def update
# @employee is already loaded from param[:id] because of :attribute_check
end
end
class EmployeesController < ApplicationController
before_filter :new_employee_from_params, :only => :create
before_filter :new_employee, :only => [:index, :new]
filter_access_to :all, :attribute_check => true
def create
@employee.save!
end
protected
def new_employee_from_params
@employee = Employee.new(params[:employee])
end
end
Views
<% permitted_to? :create, :employees do %>
<%= link_to 'New', new_employee_path %>
<% end %>
<% permitted_to? :create, Branch.new(:company => @company) do
# or @company.branches.new
# or even @company.branches %>
<%= link_to 'New', new_company_branch_path(@company) %>
<% end %>
<% for employee in @employees %>
<%= link_to 'Edit', edit_employee_path(employee) if permitted_to? :update, employee %>
<% end %>
Models
class Employee < ActiveRecord::Base
using_access_control
...
end
Employee.with_permissions_to(:read)
Employee.with_permissions_to(:read).find(:all, :conditions => ...)
Authorization Rules
authorization do
role :admin do
has_permission_on :employees, :to => [:create, :read, :update, :delete]
end
end
authorization do
role :admin do
has_permission_on :employees, :to => :manage
end
end
privileges do
privilege :manage do
includes :create, :read, :update, :delete
end
end
privileges do
privilege :manage, :employees, :includes => :increase_salary
end
authorization do
role :branch_admin do
has_permission_on :employees do
to :manage
# user refers to the current_user when evaluating
if_attribute :branch => is {user.branch}
end
end
end
authorization do
role :branch_admin do
has_permission_on :branches, :to => :manage do
if_attribute :managers => contains {user}
end
has_permission_on :employees, :to => :manage do
if_permitted_to :manage, :branch
# instead of
#if_attribute :branch => {:managers => contains {user}}
end
end
end
role :project_manager do
includes :employee
end