module Strongbolt::BoltedController::InstanceMethods

Public Instance Methods

can?(*args) click to toggle source
# File lib/strongbolt/bolted_controller.rb, line 138
def can?(*args)
  Strongbolt.current_user.can?(*args)
end
cannot?(*args) click to toggle source
# File lib/strongbolt/bolted_controller.rb, line 142
def cannot?(*args)
  Strongbolt.current_user.cannot?(*args)
end
render(*args) click to toggle source

We're aliasing render so we can trigger the without auth

DOESN'T WORK WHEN DEFINED HERE?

# File lib/strongbolt/bolted_controller.rb, line 159
def render(*args)
  if render_without_authorization?
    Strongbolt.without_authorization { _render(*args) }
  else
    _render(*args)
  end
end
render_without_authorization?() click to toggle source

Checks if the current action needs verification

# File lib/strongbolt/bolted_controller.rb, line 149
def render_without_authorization?
  self.class.actions_without_authorization.present? &&
    self.class.actions_without_authorization.include?(params[:action].to_sym)
end

Private Instance Methods

catch_grant_error() { || ... } click to toggle source

Catch Grant::Error and send Strongbolt::Unauthorized instead

# File lib/strongbolt/bolted_controller.rb, line 229
def catch_grant_error
  yield
rescue Grant::Error => e
  raise Strongbolt::Unauthorized, e.to_s
end
check_authorization() click to toggle source

Checks authorization on the object, without fetching it so it can say yes to :index but won't authorize loading everything after, in the model by model authorization

# File lib/strongbolt/bolted_controller.rb, line 199
def check_authorization
  # If no user or disabled, no need
  if Strongbolt.current_user.present? && Strongbolt.enabled?
    begin
      # Current model
      # begin
      obj = self.class.model_for_authorization
      # rescue Strongbolt::ModelNotFound
      #   Strongbolt.logger.warn "No class found or defined for controller #{controller_name}"
      #   return
      # end

      # Unless it is authorized for this action
      unless Strongbolt.current_user.can? crud_operation_of(action_name), obj
        Strongbolt.access_denied current_user, obj, crud_operation_of(action_name), request.try(:fullpath)
        raise Strongbolt::Unauthorized.new Strongbolt.current_user, action_name, obj
      end
    rescue Strongbolt::Unauthorized => e
      raise e
    rescue => e
      raise e
    end
  else
    Strongbolt.logger.warn 'No authorization checking because no current user'
  end
end
crud_operation_of(action) click to toggle source

Returns the CRUD operations based on the action name

# File lib/strongbolt/bolted_controller.rb, line 238
def crud_operation_of(action)
  operation = self.class.actions_mapping[action.to_sym]
  # If nothing find, we raise an error
  if operation.nil?
    raise Strongbolt::ActionNotConfigured, "Action #{action} on controller #{self.class.controller_name} not mapped to a CRUD operation"
  end
  # Else ok
  operation
end
disable_authorization() { || ... } click to toggle source

CAREFUL: this skips authorization !

# File lib/strongbolt/bolted_controller.rb, line 251
def disable_authorization
  Strongbolt.without_authorization { yield }
  Strongbolt.logger.warn 'Authorization were disabled!'
end
set_current_user() click to toggle source

Sets the current user using the :current_user method. Without Grant, as with it it would check if the user can find itself before having be assigned anything…

Better than having to set an anymous method for granting find to anyone!

# File lib/strongbolt/bolted_controller.rb, line 177
def set_current_user
  # To be accessible in the model when not granted
  # rubocop:disable Style/GlobalVars
  $request = request
  # rubocop:enable Style/GlobalVars
  Grant::Status.without_grant do
    Strongbolt.current_user = send(:current_user) if respond_to?(:current_user)
  end
end
unset_current_user() click to toggle source

Unset the current user, by security (needed in some servers with only 1 thread)

# File lib/strongbolt/bolted_controller.rb, line 190
def unset_current_user
  Strongbolt.current_user = nil
end