Module: Panda::Core::Authorizable
- Extended by:
- ActiveSupport::Concern
- Included in:
- Panda::Core::Admin::BaseController
- Defined in:
- app/controllers/concerns/panda/core/authorizable.rb
Overview
Authorizable concern for admin controllers.
Provides a generic authorization layer that delegates permission checks
to the configurable Panda::Core.config.authorization_policy lambda.
This allows downstream gems (e.g. panda-cms-pro) to inject RBAC checks
without panda-core needing any knowledge of roles or permissions.
Usage in controllers:
class PagesController < Admin::BaseController
:edit_content, only: [:edit, :update]
:publish_content, only: [:publish]
end
Or manually:
def update
(:edit_content, @page)
end
Instance Method Summary collapse
-
#authorize!(action, resource = nil) ⇒ Object
Authorize the current user or render a 403/redirect.
-
#authorized_for?(action, resource = nil) ⇒ Boolean
Check whether the current user is authorized for the given action.
-
#authorized_for_admin_access? ⇒ Boolean
Check whether the current user is authorized to access the admin panel.
-
#can?(action, resource = nil) ⇒ Boolean
View-layer helper for checking permissions.
Instance Method Details
#authorize!(action, resource = nil) ⇒ Object
Authorize the current user or render a 403/redirect.
66 67 68 69 70 71 72 73 74 75 76 77 78 |
# File 'app/controllers/concerns/panda/core/authorizable.rb', line 66 def (action, resource = nil) return if (action, resource) respond_to do |format| format.html do flash[:error] = "You do not have permission to perform this action." redirect_to(request.referer || panda_core.admin_root_path) end format.json do render json: {error: "Forbidden", status: 403}, status: :forbidden end end end |
#authorized_for?(action, resource = nil) ⇒ Boolean
Check whether the current user is authorized for the given action.
50 51 52 53 54 55 56 57 58 59 |
# File 'app/controllers/concerns/panda/core/authorizable.rb', line 50 def (action, resource = nil) return false unless current_user # Admin users bypass all authorization checks return true if current_user.admin? # Delegate to the configured authorization policy policy = Panda::Core.config. policy.call(current_user, action, resource) end |
#authorized_for_admin_access? ⇒ Boolean
Check whether the current user is authorized to access the admin panel. This is called during authentication to allow non-admin users with roles to access the admin area.
95 96 97 98 99 100 101 102 103 104 |
# File 'app/controllers/concerns/panda/core/authorizable.rb', line 95 def return false unless current_user # Admin users always have access return true if current_user.admin? # Check the authorization policy for :access_admin policy = Panda::Core.config. policy.call(current_user, :access_admin, nil) end |
#can?(action, resource = nil) ⇒ Boolean
View-layer helper for checking permissions.
Can be used in templates: if can?(:edit_content)
86 87 88 |
# File 'app/controllers/concerns/panda/core/authorizable.rb', line 86 def can?(action, resource = nil) (action, resource) end |