Module: Verikloak::Pundit::RoleMapper

Defined in:
lib/verikloak/pundit/role_mapper.rb

Overview

Maps roles to permissions using project configuration.

Class Method Summary collapse

Class Method Details

.map(role, config) ⇒ String, ...

Deprecated.

Use permission_for instead. This method now delegates to it so that strict mode and explicit nil revocations are honored consistently by every caller.

Map a Keycloak role to a domain permission via configuration.

Parameters:

  • role (String, Symbol)

    Role name from JWT claims

  • config (Configuration)

    Configuration providing the role_map

Returns:



17
18
19
# File 'lib/verikloak/pundit/role_mapper.rb', line 17

def map(role, config)
  permission_for(role, config)
end

.permission_for(role, config) ⇒ String, ...

Resolve the permission granted by a role, honoring strict mode. A role explicitly mapped to nil grants nothing even when strict mode is off — an explicit revocation of the role's implicit permission.

Parameters:

  • role (String, Symbol)

    Role name from JWT claims

  • config (Configuration)

    Configuration providing role_map and strict_permissions

Returns:

  • (String, Symbol, nil)

    Mapped permission, the role itself when unmapped and strict mode is off, or nil when unmapped in strict mode or explicitly mapped to nil



30
31
32
33
34
35
# File 'lib/verikloak/pundit/role_mapper.rb', line 30

def permission_for(role, config)
  key = role.to_sym
  return config.role_map[key] if config.role_map.key?(key)

  config.strict_permissions ? nil : role
end