module Auth::Authorization
Public Class Methods
authorized_admin?(request, params, current_auth, db)
click to toggle source
# File lib/jungle_path/app/auth/authorization.rb, line 44 def self.authorized_admin? request, params, current_auth, db authorized = false if current_auth.has_permission?(:admin) # auth_admin not allowed to deal with root users/keys/roles... authorized = true parts = request.path_info.split('/') allowed = { 'organizations' => true, 'user_organizations' => true, 'images' => true, 'sentiment_sets' => true, 'events' => true, 'sessions' => true, 'moderators' => true, 'foci' => true, 'categories' => true } if request.path_info == "/users" # post... role_id = params[:role_id] authorized = false if role_id and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) # :auth_admin not allowed to add a root user_role. elsif parts[1] == "users" # put or delete user_id = parts[2].to_i role_id = params[:role_id] authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id) # :auth_admin not allowed to modify data related to a user with a role of root. authorized = false if authorized and role_id and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) # :auth_admin not allowed to add a root user_role. elsif request.path_info == "/user_roles" # post... user_id = params[:user_id] role_id = params[:role_id] authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id) authorized = false if authorized and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) elsif parts[1] == "user_roles" # put or delete user_id = parts[2].to_i role_id = parts[3].to_i authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id) authorized = false if authorized and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) elsif allowed[parts[1]] authorized = true else authorized = false end end authorized end
Public Instance Methods
set_authorization(route_access)
click to toggle source
# File lib/jungle_path/app/auth/authorization.rb, line 7 def set_authorization route_access before do puts "verb: #{request.request_method}." puts "path: #{request.path_info}." authorized = false authorized = JunglePath::Authorization::Paths.is_open_path?(request, route_access) authorized = JunglePath::Authorization::Paths.is_authenticated_path?(request, route_access) unless authorized unless authorized if request.get? authorized = true if current_auth.has_permission?(:root) authorized = true if current_auth.has_permission?(:read) end if request.post? or request.put? or request.delete? authorized = true if current_auth.has_permission?(:root) unless authorized authorized = true if current_auth.has_permission?(:write) unless authorized authorized = true if request.path_info == "/query" and current_auth.has_permission?(:read) unless authorized authorized = true if request.path_info == "/users/#{current_user.id}" unless authorized authorized = true if Auth::Authorization.authorized_admin?(request, params, current_auth, db) unless authorized authorized = false if current_auth.has_restriction?(:read) end authorized = false if current_auth.has_restriction?(:query_only) unless JunglePath::Authorization::Paths.is_query_only_path? request, current_auth end unless authorized message = "request was not allowed.\n\nrequest: #{request.request_method} #{request.path_info}\nuser_name: #{current_user.user_name}\nroles: #{current_auth.roles}\npermissions: #{current_auth.permissions}\nrestrictions: #{current_auth.restrictions}" # http status code 403 Forbidden. puts "request status: 403\n#{message}." halt 403, message end end end