Class: Yes::Core::Authorization::ReadRequestCerbosAuthorizer Abstract

Inherits:

ReadRequestAuthorizer

• Object
• ReadRequestAuthorizer
• Yes::Core::Authorization::ReadRequestCerbosAuthorizer

Extended by:

CerbosClientProvider, OpenTelemetry::Trackable

Defined in:

lib/yes/core/authorization/read_request_cerbos_authorizer.rb

Overview

This class is abstract.

Read request Cerbos authorizer base class. Subclass and override call method to implement

a custom authorizer.

Constant Summary

Constants inherited from ReadRequestAuthorizer

Yes::Core::Authorization::ReadRequestAuthorizer::NotAuthorized

Class Method Summary

• .call(params, auth_data) ⇒ Boolean

  Implement this method to authorize a read request.

Class Method Details

.call(params, auth_data) ⇒ Boolean

Implement this method to authorize a read request. Needs to return true if read request is authorized, otherwise raise NotAuthorized.

Parameters:

• params (Hash) —

  request params to authorize

• auth_data (Hash) —

  authorization data

Returns:

• (Boolean) —

  true if read request is authorized raises NotAuthorized otherwise

Raises:

• (NotAuthorized) —

  if read request is not authorized

# File 'lib/yes/core/authorization/read_request_cerbos_authorizer.rb', line 19

def call(params, auth_data)
  singleton_class.current_span&.add_attributes(
    { params: params.to_json, auth_data: auth_data.to_json }.stringify_keys
  )
  auth_data = auth_data.with_indifferent_access

  check_authorization_data(params) unless super_admin?(auth_data)

  decision = authorize(params, auth_data)
  singleton_class.current_span&.add_event('Cerbos Decision', attributes: { 'decision' => decision.to_json })
  return true if decision.allow_all?

  raise_unauthorized_error!(params, decision)
end