Class: Textus::Domain::Authorizer

Inherits:

Object

• Object
• Textus::Domain::Authorizer

Defined in:

lib/textus/domain/authorizer.rb

Overview

Authorization service. Single source of truth for “given a manifest entry and a role, may this caller read/write?”. Extracted from Application::Context so the rule lives in Domain alongside Permission.

Instance Method Summary

• #authorize_read!(mentry, role:) ⇒ Object
• #authorize_write!(mentry, role:) ⇒ Object
• #can_read?(zone, role:) ⇒ Boolean
• #can_write?(zone, role:) ⇒ Boolean
• #initialize(manifest:) ⇒ Authorizer constructor

  A new instance of Authorizer.

Constructor Details

#initialize(manifest:) ⇒ Authorizer

Returns a new instance of Authorizer.

# File 'lib/textus/domain/authorizer.rb', line 9

def initialize(manifest:)
  @manifest = manifest
end

Instance Method Details

#authorize_read!(mentry, role:) ⇒ Object

Raises:

• (ReadForbidden)

# File 'lib/textus/domain/authorizer.rb', line 28

def authorize_read!(mentry, role:)
  return if can_read?(mentry.zone, role: role)

  readers = @manifest.zone_readers[mentry.zone]
  readers = nil if readers == :all
  raise ReadForbidden.new(mentry.key, mentry.zone, readers: readers)
end

#authorize_write!(mentry, role:) ⇒ Object

Raises:

• (WriteForbidden)

# File 'lib/textus/domain/authorizer.rb', line 21

def authorize_write!(mentry, role:)
  return if can_write?(mentry.zone, role: role)

  writers = @manifest.zone_writers(mentry.zone)
  raise WriteForbidden.new(mentry.key, mentry.zone, writers: writers)
end

#can_read?(zone, role:) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/textus/domain/authorizer.rb', line 17

def can_read?(zone, role:)
  @manifest.permission_for(zone.to_s).allows_read?(role)
end

#can_write?(zone, role:) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/textus/domain/authorizer.rb', line 13

def can_write?(zone, role:)
  @manifest.permission_for(zone.to_s).allows_write?(role)
end