Module: Panda::Core::Authorizable

Extended by:
ActiveSupport::Concern
Included in:
Panda::Core::Admin::BaseController
Defined in:
app/controllers/concerns/panda/core/authorizable.rb

Overview

Authorizable concern for admin controllers.

Provides a generic authorization layer that delegates permission checks to the configurable Panda::Core.config.authorization_policy lambda. This allows downstream gems (e.g. panda-cms-pro) to inject RBAC checks without panda-core needing any knowledge of roles or permissions.

Usage in controllers:

class PagesController < Admin::BaseController
require_permission :edit_content, only: [:edit, :update]
require_permission :publish_content, only: [:publish]
end

Or manually:

def update
authorize!(:edit_content, @page)
end

Instance Method Summary collapse

Instance Method Details

#authorize!(action, resource = nil) ⇒ Object

Authorize the current user or render a 403/redirect.

Parameters:

  • action (Symbol)

    the action/permission to check

  • resource (Object, nil) (defaults to: nil)

    optional resource context

Raises:

  • renders 403 or redirects if not authorized



66
67
68
69
70
71
72
73
74
75
76
77
78
# File 'app/controllers/concerns/panda/core/authorizable.rb', line 66

def authorize!(action, resource = nil)
  return if authorized_for?(action, resource)

  respond_to do |format|
    format.html do
      flash[:error] = "You do not have permission to perform this action."
      redirect_to(request.referer || panda_core.admin_root_path)
    end
    format.json do
      render json: {error: "Forbidden", status: 403}, status: :forbidden
    end
  end
end

#authorized_for?(action, resource = nil) ⇒ Boolean

Check whether the current user is authorized for the given action.

Parameters:

  • action (Symbol)

    the action/permission to check

  • resource (Object, nil) (defaults to: nil)

    optional resource context

Returns:

  • (Boolean)


50
51
52
53
54
55
56
57
58
59
# File 'app/controllers/concerns/panda/core/authorizable.rb', line 50

def authorized_for?(action, resource = nil)
  return false unless current_user

  # Admin users bypass all authorization checks
  return true if current_user.admin?

  # Delegate to the configured authorization policy
  policy = Panda::Core.config.authorization_policy
  policy.call(current_user, action, resource)
end

#authorized_for_admin_access?Boolean

Check whether the current user is authorized to access the admin panel. This is called during authentication to allow non-admin users with roles to access the admin area.

Returns:

  • (Boolean)


95
96
97
98
99
100
101
102
103
104
# File 'app/controllers/concerns/panda/core/authorizable.rb', line 95

def authorized_for_admin_access?
  return false unless current_user

  # Admin users always have access
  return true if current_user.admin?

  # Check the authorization policy for :access_admin
  policy = Panda::Core.config.authorization_policy
  policy.call(current_user, :access_admin, nil)
end

#can?(action, resource = nil) ⇒ Boolean

View-layer helper for checking permissions. Can be used in templates: if can?(:edit_content)

Parameters:

  • action (Symbol)

    the action/permission to check

  • resource (Object, nil) (defaults to: nil)

    optional resource context

Returns:

  • (Boolean)


86
87
88
# File 'app/controllers/concerns/panda/core/authorizable.rb', line 86

def can?(action, resource = nil)
  authorized_for?(action, resource)
end