Class: Protege::AccessRule

Inherits:
ApplicationRecord show all
Defined in:
app/models/protege/access_rule.rb

Overview

One runtime allow/deny rule for a single persona — the dashboard-editable layer of the inbound access-control guardrail. Each record carries a kind (+allow+/+deny+) and an address pattern (an exact address or a * wildcard such as *@company.co); together a persona's rules fold into a Gateway::AccessPolicy via AccessRule.policy_for.

This is the narrowing layer: AccessControl intersects it with the committed global policy (+Protege.configuration.inbound_access+), so a persona's rules can only further restrict who may reach that agent — never widen past the org-wide ceiling. A persona with no rules imposes no constraint of its own.

Class Method Summary collapse

Class Method Details

.policy_for(persona) ⇒ Protege::Gateway::AccessPolicy

Fold one persona's rules into a single Gateway::AccessPolicy.

Groups the persona's +allow+/+deny+ patterns into the policy's lists; the policy then derives its own default (an allow-list implies default-deny). A persona with no rules yields a bare Gateway::AccessPolicy, which permits everyone and so drops out of the AccessControl intersection.

Parameters:

Returns:



40
41
42
43
44
45
46
47
# File 'app/models/protege/access_rule.rb', line 40

def policy_for(persona)
  grouped = where(persona:).group_by(&:kind)

  Gateway.build_access_policy(
    allow: Array(grouped['allow']).map(&:pattern),
    deny:  Array(grouped['deny']).map(&:pattern)
  )
end