Class: Parse::ACL

Inherits:

DataType

• Object
• DataType
• Parse::ACL

Defined in:

lib/parse/model/acl.rb

Overview

An ACL represents the dirty-trackable Parse Permissions object used for each record. In Parse, it is composed a hash-like object that represent User objectIds and/or a set of Role names. For each entity (ex. User/Role/Public), you can define read/write privileges on a particular record through a Permission instance.

If you want to give privileges for an action (ex. read/write), you set that particular permission it to true. If you want to deny a permission, then you set it to false. Any denied permissions will not be part of the final hash structure that is sent to parse, as omission of a permission means denial.

An ACL is represented by a JSON object with the keys being Parse::User object ids or the special key of "", which indicates the public access permissions. The value of each key in the hash is a Permission object which defines the boolean permission state for read and write. The example below illustrates a Parse ACL JSON object where there is a *public read permission, but public write is prevented. In addition, the user with id "3KmCvT7Zsb" is allowed to both read and write this record, and the "Admins" role is also allowed write access.

{ "*": { "read": true }, "3KmCvT7Zsb": { "read": true, "write": true }, "role:Admins": { "write": true } }

All Parse::Object subclasses have an acl property by default. With this property, you can apply and delete permissions for this particular Parse object record. user = Parse::User.first artist = Artist.first

artist.acl # "*": { "read": true, "write": true }

# apply public read, but no public write artist.acl.everyone true, false

# allow user to have read and write access artist.acl.apply user.id, true, true

# remove all permissions for this user id artist.acl.delete user.id

# allow the 'Admins' role read and write artist.acl.apply_role "Admins", true, true

# remove write from all attached privileges artist.acl.no_write!

# remove all attached privileges artist.acl.master_key_only!

artist.save

You may also set default ACLs for your subclasses by using Object.set_default_acl. These will get applied for newly created instances. Unless overridden, subclasses inherit the shipped :owner_else_private policy — records are private (master-only) until an owner is resolved at save time. Use Object.set_default_acl or Object.acl_policy to grant broader access.

class AdminData < Parse::Object

# Disable public read and write set_default_acl :public, read: true, write: false

# Allow Admin roles to read/write set_default_acl 'Admin', role: true, read: true, write: true

end

data = AdminData.new data.acl # => ACL("write"=>true})

For more information about Parse record ACLs, see the documentation on Security.

Defined Under Namespace

Classes: Permission

Constant Summary

PUBLIC =

The key field value for public permissions.

"*".freeze

Instance Attribute Summary

• #delegate ⇒ Object

  The instance object to be notified of changes.

• #permissions ⇒ Hash

  Contains a hash structure of permissions, with keys mapping to either Public '*', a role name or an objectId for a user and values of type Permission.

Class Method Summary

• .everyone(read = true, write = true) ⇒ Object

  Create a new ACL with default Public read/write permissions and any overrides from the input hash format.

• .permission(read, write = nil) ⇒ ACL::Permission

  Create a new ACL::Permission instance with the supplied read and write values.

• .private ⇒ Parse::ACL

  Create a new private ACL with no public access.

• .read_predicate(permissions, include_public: true) ⇒ Hash

  Build a MongoDB +$match+-shaped predicate that matches documents readable by any of +permissions+.

• .typecast(value, delegate = nil) ⇒ ACL

  Used for object conversion when formatting the input/output value in Parse::Object properties.

• .write_predicate(permissions, include_public: true) ⇒ Hash

  Build a MongoDB +$match+-shaped predicate that matches documents writable by any of +permissions+.

Instance Method Summary

• #==(other_acl) ⇒ Boolean

  Determines whether two ACLs or a Parse-ACL hash is equivalent to this object.

• #all_read! ⇒ Array

  Grants read permission on all existing users and roles attached to this object.

• #all_write! ⇒ Array

  Grants write permission on all existing users and roles attached to this object.

• #apply(id, read = nil, write = nil) ⇒ Hash (also: #add)

  Apply a new permission with a given objectId, tag or :public.

• #apply_role(name, read = nil, write = nil) ⇒ Object (also: #add_role)

  Apply a Role to this ACL.

• #as_json(*args) ⇒ Hash
• #attributes ⇒ Hash

  Used for JSON serialization.

• #delete(id) ⇒ Object

  Removes a permission for an objectId or user.

• #empty? ⇒ Boolean (also: #master_key_only?, #master_only?)

  Checks if the ACL has no permissions (master key only access).

• #everyone(read, write) ⇒ Hash (also: #world)

  Set the public read and write permissions.

• #initialize(acls = nil, owner: nil) ⇒ ACL constructor

  Create a new ACL with default Public read/write permissions and any overrides from the input hash format.

• #master_key_only! ⇒ Hash (also: #clear!)

  Removes all ACLs, which only allows requests using the Parse Server master key to query and modify the object.

• #no_read! ⇒ Array

  Denies read permission on all existing users and roles attached to this object.

• #no_read? ⇒ Boolean

  Checks if the object has no read permissions for anyone (master key only).

• #no_write! ⇒ Array

  Denies write permission on all existing users and roles attached to this object.

• #no_write? ⇒ Boolean

  Checks if the object has no write permissions for anyone (master key only).

• #owner?(user_or_role) ⇒ Boolean

  Checks if a specific user or role (or any in an array) has both read and write access to this object.

• #owners ⇒ Array<String>

  Returns an array of all user IDs and role names that have both read and write access.

• #present? ⇒ Boolean

  True if there are any permissions.

• #public_read? ⇒ Boolean

  Checks if the object has public read access.

• #public_write? ⇒ Boolean

  Checks if the object has public write access.

• #read_only? ⇒ Boolean

  Checks if the object is read-only (has read permissions but no write permissions).

• #readable_by ⇒ Array<String>

  Returns an array of all user IDs and role names that have read access to this object.

• #readable_by?(user_or_role) ⇒ Boolean (also: #can_read?)

  Checks if a specific user or role (or any in an array) has read access to this object.

• #will_change! ⇒ Object

  Calls acl_will_change! on the delegate when the permissions have changed.

• #write_only? ⇒ Boolean

  Checks if the object is write-only (has write permissions but no read permissions).

• #writeable_by ⇒ Array<String> (also: #writable_by)

  Returns an array of all user IDs and role names that have write access to this object.

• #writeable_by?(user_or_role) ⇒ Boolean (also: #writable_by?, #can_write?)

  Checks if a specific user or role (or any in an array) has write access to this object.

Constructor Details

#initialize(acls = nil, owner: nil) ⇒ ACL

Create a new ACL with default Public read/write permissions and any overrides from the input hash format.

Parameters:

• acls (Hash) (defaults to: nil) —

  a Parse-compatible hash acl format.

• owner (Parse::Object) (defaults to: nil) —

  a delegate to receive notifications of acl changes. This delegate must support receiving acl_will_change! method.

# File 'lib/parse/model/acl.rb', line 144

def initialize(acls = nil, owner: nil)
  acls = acls.as_json if acls.is_a?(ACL)
  self.attributes = acls if acls.is_a?(Hash)
  @delegate = owner
end

Instance Attribute Details

#delegate ⇒ Object

The instance object to be notified of changes. The delegate must support receiving a Object#acl_will_change! method.

# File 'lib/parse/model/acl.rb', line 120

attr_writer :permissions

#permissions ⇒ Hash

Contains a hash structure of permissions, with keys mapping to either Public '*', a role name or an objectId for a user and values of type Permission. If you modify this attribute directly, you should call Object#acl_will_change! on the target object in order for dirty tracking to register changes.

Examples:

object.acl.permissions
# => { "*": { "read": true }, "3KmCvT7Zsb": {  "read": true, "write": true } }

Returns:

• (Hash) —

  a hash of permissions.

# File 'lib/parse/model/acl.rb', line 132

def permissions
  @permissions ||= {}
end

Class Method Details

.everyone(read = true, write = true) ⇒ Object

Create a new ACL with default Public read/write permissions and any overrides from the input hash format.

Parameters:

• read (Boolean) (defaults to: true) —

  the read permissions for PUBLIC (default: true)

• write (Boolean) (defaults to: true) —

  the write permissions for PUBLIC (default: true)

Version:

• 1.7.0

# File 'lib/parse/model/acl.rb', line 155

def self.everyone(read = true, write = true)
  acl = Parse::ACL.new
  acl.everyone(read, write)
  acl
end

.permission(read, write = nil) ⇒ ACL::Permission

Create a new ACL::Permission instance with the supplied read and write values.

Parameters:

• read (Boolean) —

  the read permission value

• write (Boolean) (defaults to: nil) —

  the write permission value.

Returns:

• (ACL::Permission)

See Also:

• Permission

# File 'lib/parse/model/acl.rb', line 177

def self.permission(read, write = nil)
  ACL::Permission.new(read, write)
end

.private ⇒ Parse::ACL

Create a new private ACL with no public access. Objects with this ACL can only be accessed with the master key.

Examples:

acl = Parse::ACL.private
acl.as_json # => {}

Returns:

• (Parse::ACL) —

  an empty ACL with no permissions.

Version:

• 3.1.3

# File 'lib/parse/model/acl.rb', line 168

def self.private
  Parse::ACL.new
end

.read_predicate(permissions, include_public: true) ⇒ Hash

Build a MongoDB +$match+-shaped predicate that matches documents readable by any of +permissions+. The canonical shape Parse Server enforces at the REST/SDK layer:

{ "$or" => [ { "_rperm" => { "$in" => permissions } }, { "_rperm" => { "$exists" => false } } ]}

The +$exists: false+ branch is mandatory. Parse Server treats a missing +_rperm+ field as publicly readable (the field is only written when an ACL exists), so dropping that branch silently hides every public document.

Used by:

• Query::ACLReadableByConstraint and Query::ACLReadableByRoleConstraint to compile +:ACL.readable_by+ / +:ACL.readable_by_role+ query constraints into aggregation pipelines.
• Parse::AtlasSearch to enforce ACL on +$search+ pipelines that bypass Parse Server and query MongoDB directly.

Examples:

permissions = ["*", user.id] + user.acl_roles.to_a.map { |n| "role:#{n}" }
pipeline << { "$match" => Parse::ACL.read_predicate(permissions) }

Parameters:

• permissions (Array<String>) —

  permission strings — user objectIds, +"role:RoleName"+, or +"*"+ for public.

• include_public (Boolean) (defaults to: true) —

  when +true+ (default), +"*"+ is appended to +permissions+ if missing. Set +false+ for a strict-permissions check (e.g., +:ACL.readable_by => "none"+ semantics).

Returns:

• (Hash) —

  a MongoDB +$or+ subexpression suitable for use inside a +$match+ stage.

# File 'lib/parse/model/acl.rb', line 214

def self.read_predicate(permissions, include_public: true)
  permission_predicate("_rperm", permissions, include_public: include_public)
end

.typecast(value, delegate = nil) ⇒ ACL

Used for object conversion when formatting the input/output value in Parse::Object properties

Parameters:

• value (Hash) —

  a Parse ACL hash to construct a Parse::ACL instance.

• delegate (Object) (defaults to: nil) —

  any object that would need to be notified of changes.

Returns:

• (ACL)

See Also:

• DataType

# File 'lib/parse/model/acl.rb', line 361

def self.typecast(value, delegate = nil)
  ACL.new(value, owner: delegate)
end

.write_predicate(permissions, include_public: true) ⇒ Hash

Build a MongoDB +$match+-shaped predicate that matches documents writable by any of +permissions+. Mirrors read_predicate on the +_wperm+ field. See read_predicate for the shape and the significance of the +$exists: false+ branch.

Parameters:

• permissions (Array<String>) —

  permission strings.

• include_public (Boolean) (defaults to: true) —

  whether to append +"*"+.

Returns:

• (Hash) —

  a MongoDB +$or+ subexpression.

# File 'lib/parse/model/acl.rb', line 225

def self.write_predicate(permissions, include_public: true)
  permission_predicate("_wperm", permissions, include_public: include_public)
end

Instance Method Details

#==(other_acl) ⇒ Boolean

Determines whether two ACLs or a Parse-ACL hash is equivalent to this object.

Examples:

acl = Parse::ACL.new
# create a public read-only ACL
acl.apply :public, true, false
acl.as_json # => {'*' => { "read" => true }}

create a second instance with similar privileges
acl2 = Parse::ACL.everyone(true, false)
acl2.as_json # => {'*' => { "read" => true }}

acl == acl2 # => true
acl == {'*' => { "read" => true }} # hash ok too

acl2.apply_role 'Admin', true, true # rw for Admins
acl == acl2 # => false

Returns:

• (Boolean) —

  whether two ACLs have the same set of privileges.

# File 'lib/parse/model/acl.rb', line 262

def ==(other_acl)
  return false unless other_acl.is_a?(self.class) || other_acl.is_a?(Hash)
  as_json == other_acl.as_json
end

#all_read! ⇒ Array

Grants read permission on all existing users and roles attached to this object.

Examples:

object.acl
#    { "*":          { "read" : true },
#      "3KmCvT7Zsb": { "read" : true, "write": true },
#      "role:Admins": { "write": true }
#     }
object.acl.all_read!
# Outcome:
#    { "*":          { "read" : true },
#      "3KmCvT7Zsb": { "read" : true, "write": true },
#      "role:Admins": { "read" : true, "write": true}
#     }

Returns:

• (Array) —

  list of ACL keys

Version:

• 1.7.2

# File 'lib/parse/model/acl.rb', line 434

def all_read!
  will_change!
  permissions.keys.each do |perm|
    permissions[perm].read! true
  end
end

#all_write! ⇒ Array

Grants write permission on all existing users and roles attached to this object.

Examples:

object.acl
#    { "*":          { "read" : true },
#      "3KmCvT7Zsb": { "read" : true, "write": true },
#      "role:Admins": { "write": true }
#     }
object.acl.all_write!
# Outcome:
#    { "*":          { "read" : true, "write": true },
#      "3KmCvT7Zsb": { "read" : true, "write": true },
#      "role:Admins": { "write": true }
#     }

Returns:

• (Array) —

  list of ACL keys

Version:

• 1.7.2

# File 'lib/parse/model/acl.rb', line 456

def all_write!
  will_change!
  permissions.keys.each do |perm|
    permissions[perm].write! true
  end
end

#apply(user, read = nil, write = nil) ⇒ Hash #apply(role, read = nil, write = nil) ⇒ Hash #apply(id, read = nil, write = nil) ⇒ Hash Also known as: add

Apply a new permission with a given objectId, tag or :public.

Overloads:

• #apply(user, read = nil, write = nil) ⇒ Hash

  Set the read and write permissions for this user on this ACL.

  Parameters:

  • user (Parse::User) —

    the user object.

  • read (Boolean) (defaults to: nil) —

    the read permission.

  • write (Boolean) (defaults to: nil) —

    the write permission.

• #apply(role, read = nil, write = nil) ⇒ Hash

  Set the read and write permissions for this role object on this ACL.

  Parameters:

  • role (Parse::Role) —

    the role object.

  • read (Boolean) (defaults to: nil) —

    the read permission.

  • write (Boolean) (defaults to: nil) —

    the write permission.

• #apply(id, read = nil, write = nil) ⇒ Hash

  Set the read and write permissions for this objectId on this ACL.

  Parameters:

  • id (String|:public) —

    the objectId for a User. If :public is passed, then the PUBLIC read and write permissions will be modified.

  • read (Boolean) (defaults to: nil) —

    the read permission.

  • write (Boolean) (defaults to: nil) —

    the write permission.

Returns:

• (Hash) —

  the current set of permissions.

See Also:

• #apply_role

# File 'lib/parse/model/acl.rb', line 316

def apply(id, read = nil, write = nil)
  return apply_role(id, read, write) if id.is_a?(Parse::Role)
  id = id.id if id.is_a?(Parse::Pointer)
  unless id.present?
    raise ArgumentError, "Invalid argument applying ACLs: must be either objectId, role or :public"
  end
  id = PUBLIC if id.to_sym == :public
  # create a new Permissions
  permission = ACL.permission(read, write)
  # if the input is already an Permission object, then set it directly
  permission = read if read.is_a?(Parse::ACL::Permission)
  if permission.is_a?(ACL::Permission)
    if permissions[id.to_s] != permission
      will_change! # dirty track
      permissions[id.to_s] = permission
    end
  end

  permissions
end

#apply_role(role, read = nil, write = nil) ⇒ Object #apply_role(role_name, read = nil, write = nil) ⇒ Object Also known as: add_role

Apply a Role to this ACL.

Overloads:

• #apply_role(role, read = nil, write = nil) ⇒ Object

  Parameters:

  • role (Parse::Role) —

    the role object.

  • read (Boolean) (defaults to: nil) —

    the read permission.

  • write (Boolean) (defaults to: nil) —

    the write permission.

• #apply_role(role_name, read = nil, write = nil) ⇒ Object

  Parameters:

  • role_name (String) —

    the name of the role.

  • read (Boolean) (defaults to: nil) —

    the read permission.

  • write (Boolean) (defaults to: nil) —

    the write permission.

# File 'lib/parse/model/acl.rb', line 348

def apply_role(name, read = nil, write = nil)
  name = name.name if name.is_a?(Parse::Role)
  apply("role:#{name}", read, write)
end

#as_json(*args) ⇒ Hash

Returns:

• (Hash)

# File 'lib/parse/model/acl.rb', line 390

def as_json(*args)
  permissions.select { |k, v| v.present? }.as_json
end

#attributes ⇒ Hash

Used for JSON serialization. Only if an attribute is non-nil, do we allow it in the Permissions hash, since omission means denial of priviledge. If the permission value has neither read or write, then the entire record has been denied all privileges

Returns:

• (Hash)

# File 'lib/parse/model/acl.rb', line 370

def attributes
  permissions.select { |k, v| v.present? }.as_json
end

#delete(object) ⇒ Object #delete(id) ⇒ Object

Removes a permission for an objectId or user.

Overloads:

• #delete(object) ⇒ Object

  Parameters:

  • object (Parse::User) —

    the user to revoke permissions.

• #delete(id) ⇒ Object

  Parameters:

  • id (String) —

    the objectId to revoke permissions.

# File 'lib/parse/model/acl.rb', line 289

def delete(id)
  id = id.id if id.is_a?(Parse::Pointer)
  if id.present? && permissions.has_key?(id)
    will_change!
    permissions.delete(id)
  end
end

#empty? ⇒ Boolean Also known as: master_key_only?, master_only?

Checks if the ACL has no permissions (master key only access).

Returns:

• (Boolean) —

  true if no permissions exist

# File 'lib/parse/model/acl.rb', line 812

def empty?
  permissions.empty? || permissions.values.none? { |v| v.present? }
end

#everyone(read, write) ⇒ Hash Also known as: world

Set the public read and write permissions.

Parameters:

• read (Boolean) —

  the read permission state.

• write (Boolean) —

  the write permission state.

Returns:

• (Hash) —

  the current public permissions.

# File 'lib/parse/model/acl.rb', line 271

def everyone(read, write)
  apply(PUBLIC, read, write)
  permissions[PUBLIC]
end

#master_key_only! ⇒ Hash Also known as: clear!

Removes all ACLs, which only allows requests using the Parse Server master key to query and modify the object.

Examples:

object.acl
#    { "*":          { "read" : true },
#      "3KmCvT7Zsb": { "read" : true, "write": true },
#      "role:Admins": { "write": true }
#     }
object.acl.master_key_only!
# Outcome:
#    { }

Returns:

• (Hash) —

  The cleared permissions hash

Version:

• 1.7.2

# File 'lib/parse/model/acl.rb', line 412

def master_key_only!
  will_change!
  @permissions = {}
end

#no_read! ⇒ Array

Denies read permission on all existing users and roles attached to this object.

Examples:

object.acl
#    { "*":          { "read" : true },
#      "3KmCvT7Zsb": { "read" : true, "write": true },
#      "role:Admins": { "write": true }
#     }
object.acl.no_read!
# Outcome:
#    { "*":          nil,
#      "3KmCvT7Zsb": { "write": true },
#      "role:Admins": { "write": true }
#     }

Returns:

• (Array) —

  list of ACL keys

Version:

• 1.7.2

# File 'lib/parse/model/acl.rb', line 478

def no_read!
  will_change!
  permissions.keys.each do |perm|
    permissions[perm].read! false
  end
end

#no_read? ⇒ Boolean

Checks if the object has no read permissions for anyone (master key only).

Returns:

• (Boolean) —

  true if no one has read access

# File 'lib/parse/model/acl.rb', line 699

def no_read?
  permissions.values.none? { |v| v.read }
end

#no_write! ⇒ Array

Denies write permission on all existing users and roles attached to this object.

Examples:

object.acl
#    { "*":          { "read" : true },
#      "3KmCvT7Zsb": { "read" : true, "write": true },
#      "role:Admins": { "write": true }
#     }
object.acl.no_write!
# Outcome:
#    { "*":          { "read" : true },
#      "3KmCvT7Zsb": { "read" : true },
#      "role:Admins": nil
#     }

Returns:

• (Array) —

  list of ACL keys

Version:

• 1.7.2

# File 'lib/parse/model/acl.rb', line 500

def no_write!
  will_change!
  permissions.keys.each do |perm|
    permissions[perm].write! false
  end
end

#no_write? ⇒ Boolean

Checks if the object has no write permissions for anyone (master key only).

Returns:

• (Boolean) —

  true if no one has write access

# File 'lib/parse/model/acl.rb', line 705

def no_write?
  permissions.values.none? { |v| v.write }
end

#owner?(user_or_role) ⇒ Boolean

Checks if a specific user or role (or any in an array) has both read and write access to this object. When passed an array of strings, returns true if ANY of the users/roles have both read and write access (OR logic). When passed a Parse::User object or pointer, automatically fetches and checks the user's roles as well.

Examples:

acl.owner?("user123")                          # Check single user ID
acl.owner?("Admin")                            # Check single role name
acl.owner?(user_object)                        # Check user + their roles
acl.owner?(user_pointer)                       # Check user pointer + their roles
acl.owner?(["user123", "Admin"])               # Check array (OR logic)

Parameters:

• user_or_role (String, Parse::User, Parse::Pointer, Array<String>) —

  the user ID, role name, user object, user pointer, or array of user IDs/role names

Returns:

• (Boolean) —

  true if the user/role (or any in the array) has both read and write access

# File 'lib/parse/model/acl.rb', line 738

def owner?(user_or_role)
  # Handle arrays - check if ANY item in the array is an owner (OR logic)
  if user_or_role.is_a?(Array)
    # For arrays, just check each string value directly (no User object expansion)
    return user_or_role.any? do |item|
             key = normalize_permission_key(item)
             next false unless key
             perm = permissions[key]
             perm&.read == true && perm&.write == true
           end
  end

  # Handle Parse::Pointer to User - expand to include user ID and roles
  if user_or_role.is_a?(Parse::Pointer) || (user_or_role.respond_to?(:parse_class) && user_or_role.respond_to?(:id))
    # Check if it's a pointer to a User
    if user_or_role.respond_to?(:parse_class) && (user_or_role.parse_class == "User" || user_or_role.parse_class == "_User")
      permissions_to_check = []

      # Add the user ID from the pointer
      user_id = user_or_role.respond_to?(:id) ? user_or_role.id : nil
      permissions_to_check << user_id if user_id.present?

      # Query roles directly using the user pointer (no need to fetch the full user)
      begin
        if user_id.present? && defined?(Parse::Role)
          user_roles = Parse::Role.all(users: user_or_role)
          user_roles.each do |role|
            permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
          end
        end
      rescue
        # If role fetching fails, continue with just the user ID
      end

      # Check if any of the user's permissions (user ID or roles) are owners
      return owner?(permissions_to_check) if permissions_to_check.any?
      return false
    end
  end

  # If it's a User object, expand it to include the user ID and all their roles
  if user_or_role.is_a?(Parse::User) || (user_or_role.respond_to?(:is_a?) && user_or_role.is_a?(Parse::User))
    permissions_to_check = []

    # Add the user ID
    permissions_to_check << user_or_role.id if user_or_role.respond_to?(:id) && user_or_role.id.present?

    # Fetch and add all the user's roles
    begin
      if user_or_role.respond_to?(:id) && user_or_role.id.present? && defined?(Parse::Role)
        user_roles = Parse::Role.all(users: user_or_role)
        user_roles.each do |role|
          permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
        end
      end
    rescue
      # If role fetching fails, continue with just the user ID
    end

    # Check if any of the user's permissions (user ID or roles) are owners
    # Use array checking logic (OR)
    return owner?(permissions_to_check) if permissions_to_check.any?
    return false
  end

  # Single string value - check directly
  key = normalize_permission_key(user_or_role)
  return false unless key
  perm = permissions[key]
  perm&.read == true && perm&.write == true
end

#owners ⇒ Array<String>

Returns an array of all user IDs and role names that have both read and write access.

Returns:

• (Array<String>) —

  list of user IDs and role names with full access

# File 'lib/parse/model/acl.rb', line 723

def owners
  permissions.select { |k, v| v.read && v.write }.keys
end

#present? ⇒ Boolean

Returns true if there are any permissions.

Returns:

• (Boolean) —

  true if there are any permissions.

# File 'lib/parse/model/acl.rb', line 395

def present?
  permissions.values.any? { |v| v.present? }
end

#public_read? ⇒ Boolean

Checks if the object has public read access.

Returns:

• (Boolean) —

  true if public can read this object

# File 'lib/parse/model/acl.rb', line 687

def public_read?
  permissions[PUBLIC]&.read == true
end

#public_write? ⇒ Boolean

Checks if the object has public write access.

Returns:

• (Boolean) —

  true if public can write to this object

# File 'lib/parse/model/acl.rb', line 693

def public_write?
  permissions[PUBLIC]&.write == true
end

#read_only? ⇒ Boolean

Checks if the object is read-only (has read permissions but no write permissions).

Returns:

• (Boolean) —

  true if object has read access but no write access

# File 'lib/parse/model/acl.rb', line 711

def read_only?
  permissions.values.any? { |v| v.read } && permissions.values.none? { |v| v.write }
end

#readable_by ⇒ Array<String>

Returns an array of all user IDs and role names that have read access to this object.

Returns:

• (Array<String>) —

  list of user IDs and role names (e.g., ["*", "user123", "role:Admin"])

# File 'lib/parse/model/acl.rb', line 509

def readable_by
  permissions.select { |k, v| v.read }.keys
end

#readable_by?(user_or_role) ⇒ Boolean Also known as: can_read?

Checks if a specific user or role (or any in an array) has read access to this object. When passed an array of strings, returns true if ANY of the users/roles have read access (OR logic). When passed a Parse::User object or pointer, automatically fetches and checks the user's roles as well.

Examples:

acl.readable_by?("user123")                    # Check single user ID
acl.readable_by?("Admin")                      # Check single role name
acl.readable_by?(user_object)                  # Check user + their roles
acl.readable_by?(user_pointer)                 # Check user pointer + their roles
acl.readable_by?(["user123", "Admin"])         # Check array (OR logic)

Parameters:

• user_or_role (String, Parse::User, Parse::Pointer, Array<String>) —

  the user ID, role name, user object, user pointer, or array of user IDs/role names

Returns:

• (Boolean) —

  true if the user/role (or any in the array) has read access

# File 'lib/parse/model/acl.rb', line 532

def readable_by?(user_or_role)
  # Handle arrays - check if ANY item in the array has read access (OR logic)
  if user_or_role.is_a?(Array)
    # For arrays, just check each string value directly (no User object expansion)
    return user_or_role.any? do |item|
             key = normalize_permission_key(item)
             key && permissions[key]&.read == true
           end
  end

  # Handle Parse::Pointer to User - expand to include user ID and roles
  if user_or_role.is_a?(Parse::Pointer) || (user_or_role.respond_to?(:parse_class) && user_or_role.respond_to?(:id))
    # Check if it's a pointer to a User
    if user_or_role.respond_to?(:parse_class) && (user_or_role.parse_class == "User" || user_or_role.parse_class == "_User")
      permissions_to_check = []

      # Add the user ID from the pointer
      user_id = user_or_role.respond_to?(:id) ? user_or_role.id : nil
      permissions_to_check << user_id if user_id.present?

      # Query roles directly using the user pointer (no need to fetch the full user)
      begin
        if user_id.present? && defined?(Parse::Role)
          user_roles = Parse::Role.all(users: user_or_role)
          user_roles.each do |role|
            permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
          end
        end
      rescue
        # If role fetching fails, continue with just the user ID
      end

      # Check if any of the user's permissions (user ID or roles) have read access
      return readable_by?(permissions_to_check) if permissions_to_check.any?
      return false
    end
  end

  # If it's a User object, expand it to include the user ID and all their roles
  if user_or_role.is_a?(Parse::User) || (user_or_role.respond_to?(:is_a?) && user_or_role.is_a?(Parse::User))
    permissions_to_check = []

    # Add the user ID
    permissions_to_check << user_or_role.id if user_or_role.respond_to?(:id) && user_or_role.id.present?

    # Fetch and add all the user's roles
    begin
      if user_or_role.respond_to?(:id) && user_or_role.id.present? && defined?(Parse::Role)
        user_roles = Parse::Role.all(users: user_or_role)
        user_roles.each do |role|
          permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
        end
      end
    rescue
      # If role fetching fails, continue with just the user ID
    end

    # Check if any of the user's permissions (user ID or roles) have read access
    # Use array checking logic (OR)
    return readable_by?(permissions_to_check) if permissions_to_check.any?
    return false
  end

  # Single string value - check directly
  key = normalize_permission_key(user_or_role)
  return false unless key
  permissions[key]&.read == true
end

#will_change! ⇒ Object

Calls acl_will_change! on the delegate when the permissions have changed. All Object subclasses implement this method.

# File 'lib/parse/model/acl.rb', line 280

def will_change!
  @delegate.acl_will_change! if @delegate.respond_to?(:acl_will_change!)
end

#write_only? ⇒ Boolean

Checks if the object is write-only (has write permissions but no read permissions).

Returns:

• (Boolean) —

  true if object has write access but no read access

# File 'lib/parse/model/acl.rb', line 717

def write_only?
  permissions.values.any? { |v| v.write } && permissions.values.none? { |v| v.read }
end

#writeable_by ⇒ Array<String> Also known as: writable_by

Returns an array of all user IDs and role names that have write access to this object.

Returns:

• (Array<String>) —

  list of user IDs and role names (e.g., ["*", "user123", "role:Admin"])

# File 'lib/parse/model/acl.rb', line 515

def writeable_by
  permissions.select { |k, v| v.write }.keys
end

#writeable_by?(user_or_role) ⇒ Boolean Also known as: writable_by?, can_write?

Checks if a specific user or role (or any in an array) has write access to this object. When passed an array of strings, returns true if ANY of the users/roles have write access (OR logic). When passed a Parse::User object or pointer, automatically fetches and checks the user's roles as well.

Examples:

acl.writeable_by?("user123")                   # Check single user ID
acl.writeable_by?("Admin")                     # Check single role name
acl.writeable_by?(user_object)                 # Check user + their roles
acl.writeable_by?(user_pointer)                # Check user pointer + their roles
acl.writeable_by?(["user123", "Admin"])        # Check array (OR logic)

Parameters:

• user_or_role (String, Parse::User, Parse::Pointer, Array<String>) —

  the user ID, role name, user object, user pointer, or array of user IDs/role names

Returns:

• (Boolean) —

  true if the user/role (or any in the array) has write access

# File 'lib/parse/model/acl.rb', line 612

def writeable_by?(user_or_role)
  # Handle arrays - check if ANY item in the array has write access (OR logic)
  if user_or_role.is_a?(Array)
    # For arrays, just check each string value directly (no User object expansion)
    return user_or_role.any? do |item|
             key = normalize_permission_key(item)
             key && permissions[key]&.write == true
           end
  end

  # Handle Parse::Pointer to User - expand to include user ID and roles
  if user_or_role.is_a?(Parse::Pointer) || (user_or_role.respond_to?(:parse_class) && user_or_role.respond_to?(:id))
    # Check if it's a pointer to a User
    if user_or_role.respond_to?(:parse_class) && (user_or_role.parse_class == "User" || user_or_role.parse_class == "_User")
      permissions_to_check = []

      # Add the user ID from the pointer
      user_id = user_or_role.respond_to?(:id) ? user_or_role.id : nil
      permissions_to_check << user_id if user_id.present?

      # Query roles directly using the user pointer (no need to fetch the full user)
      begin
        if user_id.present? && defined?(Parse::Role)
          user_roles = Parse::Role.all(users: user_or_role)
          user_roles.each do |role|
            permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
          end
        end
      rescue
        # If role fetching fails, continue with just the user ID
      end

      # Check if any of the user's permissions (user ID or roles) have write access
      return writeable_by?(permissions_to_check) if permissions_to_check.any?
      return false
    end
  end

  # If it's a User object, expand it to include the user ID and all their roles
  if user_or_role.is_a?(Parse::User) || (user_or_role.respond_to?(:is_a?) && user_or_role.is_a?(Parse::User))
    permissions_to_check = []

    # Add the user ID
    permissions_to_check << user_or_role.id if user_or_role.respond_to?(:id) && user_or_role.id.present?

    # Fetch and add all the user's roles
    begin
      if user_or_role.respond_to?(:id) && user_or_role.id.present? && defined?(Parse::Role)
        user_roles = Parse::Role.all(users: user_or_role)
        user_roles.each do |role|
          permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
        end
      end
    rescue
      # If role fetching fails, continue with just the user ID
    end

    # Check if any of the user's permissions (user ID or roles) have write access
    # Use array checking logic (OR)
    return writeable_by?(permissions_to_check) if permissions_to_check.any?
    return false
  end

  # Single string value - check directly
  key = normalize_permission_key(user_or_role)
  return false unless key
  permissions[key]&.write == true
end