Class: CurrentScope::Current

Inherits:
ActiveSupport::CurrentAttributes
  • Object
show all
Defined in:
app/models/current_scope/current.rb

Overview

The ambient authorization context. Request- and job-scoped: Rails resets CurrentAttributes around every unit of execution, so the subject can never leak between requests, jobs, or test examples.

Two identities live here:

- user  — the EFFECTIVE subject every permission check reads.
- actor — the REAL principal behind the request (the pretender's
        `true_user`). It falls back to `user`, so attribution always
        reads `actor` with no nil branch. They differ only while
        impersonating: actor = the admin, user = the impersonated subject.

Instance Method Summary collapse

Instance Method Details

#actorObject

Falls back to the effective subject, so actor is never nil when user is set — callers attribute to actor without a nil branch.



27
28
29
# File 'app/models/current_scope/current.rb', line 27

def actor
  super || user
end

#memoized_org_role(subject) ⇒ Object

Memoize the org-role lookup for subject for the rest of this request/job. Keyed by subject so a check that spans several subjects stays correct. Caches nil (no role) too, so a repeated "no grant" check is one query, not N.



34
35
36
37
38
39
40
41
42
# File 'app/models/current_scope/current.rb', line 34

def memoized_org_role(subject)
  return yield if subject.nil?

  cache = (self.org_role_cache ||= {})
  key = [ subject.class.name, subject.id ]
  return cache[key] if cache.key?(key)

  cache[key] = yield
end

#reset_org_role_cacheObject

Drop the memo — called on any org-role write so a later check in the same request sees the change.



46
47
48
# File 'app/models/current_scope/current.rb', line 46

def reset_org_role_cache
  self.org_role_cache = nil
end