Class: Vert::Authorization::PermissionResolver

Inherits:

Object

• Object
• Vert::Authorization::PermissionResolver

Defined in:

lib/vert/authorization/permission_resolver.rb

Constant Summary

CACHE_TTL =

5.minutes

CACHE_PREFIX =

"vert:permissions"

Class Method Summary

• .get_allowed_fields(user, permission_code, context = {}) ⇒ Object
• .get_condition(user, permission_code, condition_key, context = {}) ⇒ Object
• .get_denied_fields(user, permission_code, context = {}) ⇒ Object
• .has_permission?(user, permission_code, context = {}) ⇒ Boolean
• .invalidate_role_cache(role_id) ⇒ Object
• .invalidate_user_cache(user_id) ⇒ Object
• .user_permissions(user, context = {}) ⇒ Object

Class Method Details

.get_allowed_fields(user, permission_code, context = {}) ⇒ Object

# File 'lib/vert/authorization/permission_resolver.rb', line 28

def get_allowed_fields(user, permission_code, context = {})
  return nil if super_admin?(user)
  fields = get_field_restrictions(user, permission_code, context)
  fields&.dig("granted_fields")
end

.get_condition(user, permission_code, condition_key, context = {}) ⇒ Object

# File 'lib/vert/authorization/permission_resolver.rb', line 22

def get_condition(user, permission_code, condition_key, context = {})
  return nil unless user
  conditions = get_permission_conditions(user, permission_code, context)
  conditions&.dig(condition_key.to_s)
end

.get_denied_fields(user, permission_code, context = {}) ⇒ Object

# File 'lib/vert/authorization/permission_resolver.rb', line 34

def get_denied_fields(user, permission_code, context = {})
  return [] if super_admin?(user)
  fields = get_field_restrictions(user, permission_code, context)
  fields&.dig("denied_fields") || []
end

.has_permission?(user, permission_code, context = {}) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/vert/authorization/permission_resolver.rb', line 10

def has_permission?(user, permission_code, context = {})
  return false unless user
  return true if super_admin?(user)

  cached = get_cached_permission(user, permission_code, context)
  return cached unless cached.nil?

  result = resolve_permission(user, permission_code, context)
  cache_permission(user, permission_code, context, result)
  result
end

.invalidate_role_cache(role_id) ⇒ Object

# File 'lib/vert/authorization/permission_resolver.rb', line 61

def invalidate_role_cache(role_id)
  if defined?(UserRole)
    UserRole.where(role_id: role_id).pluck(:user_id).each { |user_id| invalidate_user_cache(user_id) }
  end
end

.invalidate_user_cache(user_id) ⇒ Object

# File 'lib/vert/authorization/permission_resolver.rb', line 53

def invalidate_user_cache(user_id)
  return if user_id.blank?
  # Sanitize to avoid Redis KEYS pattern injection (e.g. * or ? in user_id)
  safe_id = user_id.to_s.gsub(%r{[*?\[\]\{\}\\]}, "")
  pattern = "#{CACHE_PREFIX}:#{safe_id}:*"
  redis_delete_pattern(pattern)
end

.user_permissions(user, context = {}) ⇒ Object

# File 'lib/vert/authorization/permission_resolver.rb', line 40

def user_permissions(user, context = {})
  return [] unless user
  return ["*"] if super_admin?(user)

  cache_key = user_permissions_cache_key(user, context)
  cached = redis_get(cache_key)
  return cached if cached

  permissions = collect_user_permissions(user, context)
  redis_set(cache_key, permissions, CACHE_TTL)
  permissions
end