module ApiAuthorization
Constants
- VERSION
Public Class Methods
Public Instance Methods
check_allowed_params(params, controller, action)
click to toggle source
Filter the request params to know wether or not a user has the right to push a certain value as a parameter.
example:
allowed_params = { anno: [2019] } will remove from the params if the params hash contain a key :anno with a value which is not 2019
@params [Action::Parameters] @return [Action::Parameters] without the disallowed key/values.
# File lib/api_authorization/railtie.rb, line 48 def check_allowed_params(params, controller, action) roles = current_user.try(:permissions) return params if roles.find { |role| role.try(:name).try(:downcase) == 'superadmin' } rules = roles.where('controller = ? AND action = ? AND allowed_params IS NOT NULL', controller, action) return params if rules.nil? || rules.empty? rules.each do |rule| next if rule.allowed_params.nil? # puts "####### ruleS => #{rule.allowed_params.inspect}" rule.allowed_params.each do |k, v| puts " key: #{k}, value: #{v}" params.delete(k) unless Array(v).include?(params[k]) || v == params[k] end end params end
check_role()
click to toggle source
Filter the request with by controller and action to know if a user can execute that action in that controller
@return when the user is allowed
# File lib/api_authorization/railtie.rb, line 17 def check_role puts 'AUTHORIZATION: Checking user roles' if Rails.env == 'development' roles = current_user.try(:roles) return if roles.find { |role| role.try(:name).try(:downcase) == 'superadmin' } # return render json: { error: 'You are not authorized' }, status: 403 if current_user.roles.empty? return not_authorized if current_user.roles.empty? current_user.roles.each do |role| return if role.permissions.where(controller: params['controller'], action: params['action']).count.positive? end # render json: { error: 'You are not authorized' }, status: 403 not_authorized rescue StandardError => e # render json: { error: 'You are not authorized' }, status: 403 not_authorized end