Class: Yes::Auth::Principals::User

Inherits:

ActiveRecord::Base

• Object
• ActiveRecord::Base
• Yes::Auth::Principals::User

Defined in:

lib/yes/auth/principals/user.rb

Overview

Represents an authorization principal user with roles and resource accesses.

Examples:

Finding a user and checking roles

user = Yes::Auth::Principals::User.find_by(identity_id: 'some-uuid')
user.read_resource_access_authorization_roles

Constant Summary

NO_AUTHORIZATION_ROLES_YET =

['no-roles-yet'].freeze

Instance Method Summary

• #read_resource_access_authorization_roles ⇒ Array<String>

  NOTE: Runs 2 queries (resource access roles + direct roles).

• #super_admin? ⇒ Boolean

  Whether the user has the super admin role.

• #write_resource_access_authorization_roles ⇒ Array<String>

  NOTE: Runs 2 queries (resource access roles + direct roles).

Instance Method Details

#read_resource_access_authorization_roles ⇒ Array<String>

NOTE: Runs 2 queries (resource access roles + direct roles). The direct roles query is shared with write_resource_access_authorization_roles but cannot be easily combined since they query different join tables. Use .includes(:roles) when loading the User to avoid N+1 on the direct roles association.

Returns:

• (Array<String>) —

  role names for read resource access authorization

# File 'lib/yes/auth/principals/user.rb', line 31

def read_resource_access_authorization_roles
  read_role_names = Set.new(
    Role.joins(:read_resource_accesses).where(read_resource_accesses: { principal_id: id }).complete.pluck(:name)
  )

  (read_role_names + complete_role_names).to_a
end

#super_admin? ⇒ Boolean

Returns whether the user has the super admin role.

Returns:

• (Boolean) —

  whether the user has the super admin role

# File 'lib/yes/auth/principals/user.rb', line 53

def super_admin?
  super_admin_role_id = Role.super_admin_role&.id
  return false unless super_admin_role_id

  roles.ids.include?(super_admin_role_id)
end

#write_resource_access_authorization_roles ⇒ Array<String>

NOTE: Runs 2 queries (resource access roles + direct roles). The direct roles query is shared with read_resource_access_authorization_roles but cannot be easily combined since they query different join tables. Use .includes(:roles) when loading the User to avoid N+1 on the direct roles association.

Returns:

• (Array<String>) —

  role names for write resource access authorization

# File 'lib/yes/auth/principals/user.rb', line 44

def write_resource_access_authorization_roles
  write_role_names = Set.new(
    Role.joins(:write_resource_accesses).where(write_resource_accesses: { principal_id: id }).complete.pluck(:name)
  )

  (write_role_names + complete_role_names).to_a
end