Class: Fosm::Lifecycle::AccessDefinition

Inherits:

Object

• Object
• Fosm::Lifecycle::AccessDefinition

Defined in:

lib/fosm/lifecycle/access_definition.rb

Overview

Holds the access control definition for a FOSM lifecycle.

Activated by declaring an ‘access do … end` block inside `lifecycle do`. Once declared, RBAC is enforced: deny-by-default, only granted capabilities work. Without an access block, all authenticated actors have full access (open-by-default).

Design principles:

- Rules live IN the lifecycle definition, same file as states and events
- One default role is auto-assigned to the record creator on creation
- Superadmin bypasses all checks (like root in Linux)
- :system and :agent symbols bypass RBAC (internal/programmatic actors)

Instance Attribute Summary

• #roles ⇒ Object readonly

  Returns the value of attribute roles.

Instance Method Summary

• #default_role ⇒ Object

  The role name that gets auto-assigned to the creator when a record is created.

• #find_role(name) ⇒ Object
• #initialize ⇒ AccessDefinition constructor

  A new instance of AccessDefinition.

• #role(name, default: false, &block) ⇒ Object

  DSL: declare a role within the access block.

• #role_names ⇒ Object
• #roles_for_crud(action) ⇒ Object

  Returns the role names permitted to perform a CRUD action (:create/:read/:update/:delete).

• #roles_for_event(event_name) ⇒ Object

  Returns the role names permitted to fire a given lifecycle event.

Constructor Details

#initialize ⇒ AccessDefinition

Returns a new instance of AccessDefinition.

# File 'lib/fosm/lifecycle/access_definition.rb', line 19

def initialize
  @roles        = []
  @default_role = nil
end

Instance Attribute Details

#roles ⇒ Object (readonly)

Returns the value of attribute roles.

# File 'lib/fosm/lifecycle/access_definition.rb', line 17

def roles
  @roles
end

Instance Method Details

#default_role ⇒ Object

The role name that gets auto-assigned to the creator when a record is created. nil if no default was declared.

# File 'lib/fosm/lifecycle/access_definition.rb', line 39

def default_role
  @default_role
end

#find_role(name) ⇒ Object

# File 'lib/fosm/lifecycle/access_definition.rb', line 53

def find_role(name)
  @roles.find { |r| r.name == name.to_sym }
end

#role(name, default: false, &block) ⇒ Object

DSL: declare a role within the access block

Parameters:

• name (Symbol) —

  role name (e.g. :owner, :approver, :viewer)

• default (Boolean) (defaults to: false) —

  if true, auto-assigned to the record creator on create

• block (Proc) —

  permissions block where ‘can` is called

# File 'lib/fosm/lifecycle/access_definition.rb', line 29

def role(name, default: false, &block)
  role_def = RoleDefinition.new(name: name)
  role_def.instance_eval(&block) if block_given?
  @roles << role_def
  @default_role = name.to_sym if default
  role_def
end

#role_names ⇒ Object

# File 'lib/fosm/lifecycle/access_definition.rb', line 57

def role_names
  @roles.map(&:name)
end

#roles_for_crud(action) ⇒ Object

Returns the role names permitted to perform a CRUD action (:create/:read/:update/:delete)

# File 'lib/fosm/lifecycle/access_definition.rb', line 49

def roles_for_crud(action)
  @roles.select { |r| r.can_crud?(action.to_sym) }.map(&:name)
end

#roles_for_event(event_name) ⇒ Object

Returns the role names permitted to fire a given lifecycle event

# File 'lib/fosm/lifecycle/access_definition.rb', line 44

def roles_for_event(event_name)
  @roles.select { |r| r.can_event?(event_name.to_sym) }.map(&:name)
end