Class: Protege::AccessRule
- Inherits:
-
ApplicationRecord
- Object
- ActiveRecord::Base
- ApplicationRecord
- Protege::AccessRule
- Defined in:
- app/models/protege/access_rule.rb
Overview
One runtime allow/deny rule for a single persona — the dashboard-editable layer of the inbound
access-control guardrail. Each record carries a kind (+allow+/+deny+) and an address pattern
(an exact address or a * wildcard such as *@company.co); together a persona's rules fold into
a Gateway::AccessPolicy via AccessRule.policy_for.
This is the narrowing layer: AccessControl intersects it with the committed global policy
(+Protege.configuration.inbound_access+), so a persona's rules can only further restrict who may
reach that agent — never widen past the org-wide ceiling. A persona with no rules imposes no
constraint of its own.
Class Method Summary collapse
-
.policy_for(persona) ⇒ Protege::Gateway::AccessPolicy
Fold one persona's rules into a single
Gateway::AccessPolicy.
Class Method Details
.policy_for(persona) ⇒ Protege::Gateway::AccessPolicy
Fold one persona's rules into a single Gateway::AccessPolicy.
Groups the persona's +allow+/+deny+ patterns into the policy's lists; the policy then derives
its own default (an allow-list implies default-deny). A persona with no rules yields a bare
Gateway::AccessPolicy, which permits everyone and so drops out of the AccessControl
intersection.
40 41 42 43 44 45 46 47 |
# File 'app/models/protege/access_rule.rb', line 40 def policy_for(persona) grouped = where(persona:).group_by(&:kind) Gateway.build_access_policy( allow: Array(grouped['allow']).map(&:pattern), deny: Array(grouped['deny']).map(&:pattern) ) end |