Class: HaveAPI::Authorization

Inherits:

Object

• Object
• HaveAPI::Authorization

Defined in:

lib/haveapi/authorization.rb

Instance Method Summary

• #allow ⇒ Object
• #authorized?(user, path_params) ⇒ Boolean

  Returns true if user is authorized.

• #deny ⇒ Object
• #filter_input(input, params) ⇒ Object
• #filter_meta_output(output, params, format = false) ⇒ Object
• #filter_output(output, params, format = false) ⇒ Object
• #initialize(&block) ⇒ Authorization constructor

  A new instance of Authorization.

• #initialize_clone(other) ⇒ Object
• #input(whitelist: nil, blacklist: nil) ⇒ Object

  Restrict parameters client can set/change.

• #meta_output(whitelist: nil, blacklist: nil) ⇒ Object
• #output(whitelist: nil, blacklist: nil) ⇒ Object

  Restrict parameters client can retrieve.

• #permitted_input_names(params) ⇒ Object
• #prepend_block(block) ⇒ Object
• #restrict(**kwargs) ⇒ Object

  Apply restrictions on query which selects objects from database.

• #restrictions ⇒ Object

Constructor Details

#initialize(&block) ⇒ Authorization

Returns a new instance of Authorization.

# File 'lib/haveapi/authorization.rb', line 3

def initialize(&block)
  @blocks = [block]
end

Instance Method Details

#allow ⇒ Object

# File 'lib/haveapi/authorization.rb', line 71

def allow
  throw(:rule, true)
end

#authorized?(user, path_params) ⇒ Boolean

Returns true if user is authorized. Block must call allow to authorize user, default rule is deny.

Returns:

• (Boolean)

# File 'lib/haveapi/authorization.rb', line 14

def authorized?(user, path_params)
  @restrict = []

  catch(:rule) do
    @blocks.each do |block|
      instance_exec(user, path_params, &block)
    end

    deny # will not be called if some block throws allow
  end
end

#deny ⇒ Object

# File 'lib/haveapi/authorization.rb', line 75

def deny
  throw(:rule, false)
end

#filter_input(input, params) ⇒ Object

# File 'lib/haveapi/authorization.rb', line 93

def filter_input(input, params)
  filter_inner(input, @input, params, false)
end

#filter_meta_output(output, params, format = false) ⇒ Object

# File 'lib/haveapi/authorization.rb', line 101

def filter_meta_output(output, params, format = false)
  filter_inner(output, meta_output_filter, params, format)
end

#filter_output(output, params, format = false) ⇒ Object

# File 'lib/haveapi/authorization.rb', line 97

def filter_output(output, params, format = false)
  filter_inner(output, @output, params, format)
end

#initialize_clone(other) ⇒ Object

# File 'lib/haveapi/authorization.rb', line 7

def initialize_clone(other)
  super
  @blocks = other.instance_variable_get('@blocks').clone
end

#input(whitelist: nil, blacklist: nil) ⇒ Object

Restrict parameters client can set/change.

Parameters:

• whitelist (Array<Symbol>) (defaults to: nil) —

  allow only listed parameters

• blacklist (Array<Symbol>) (defaults to: nil) —

  allow all parameters except listed ones

# File 'lib/haveapi/authorization.rb', line 47

def input(whitelist: nil, blacklist: nil)
  @input = {
    whitelist:,
    blacklist:
  }
end

#meta_output(whitelist: nil, blacklist: nil) ⇒ Object

# File 'lib/haveapi/authorization.rb', line 64

def meta_output(whitelist: nil, blacklist: nil)
  @meta_output = {
    whitelist:,
    blacklist:
  }
end

#output(whitelist: nil, blacklist: nil) ⇒ Object

Restrict parameters client can retrieve.

Parameters:

• whitelist (Array<Symbol>) (defaults to: nil) —

  allow only listed parameters

• blacklist (Array<Symbol>) (defaults to: nil) —

  allow all parameters except listed ones

# File 'lib/haveapi/authorization.rb', line 57

def output(whitelist: nil, blacklist: nil)
  @output = {
    whitelist:,
    blacklist:
  }
end

#permitted_input_names(params) ⇒ Object

# File 'lib/haveapi/authorization.rb', line 105

def permitted_input_names(params)
  permitted_params(params, @input).map(&:name)
end

#prepend_block(block) ⇒ Object

# File 'lib/haveapi/authorization.rb', line 26

def prepend_block(block)
  @blocks.insert(0, block)
end

#restrict(**kwargs) ⇒ Object

Apply restrictions on query which selects objects from database. Most common usage is restrict user to access only objects he owns.

# File 'lib/haveapi/authorization.rb', line 32

def restrict(**kwargs)
  normalized = normalize_hash_keys(kwargs)

  normalized.each do |key, value|
    @restrict.each do |restriction|
      deny if restriction.has_key?(key) && restriction[key] != value
    end
  end

  @restrict << normalized
end

#restrictions ⇒ Object

# File 'lib/haveapi/authorization.rb', line 79

def restrictions
  ret = {}

  @restrict.each do |r|
    r.each do |key, value|
      deny if ret.has_key?(key) && ret[key] != value

      ret[key] = value
    end
  end

  ret
end