module Auth::Authorization

Public Class Methods

authorized_admin?(request, params, current_auth, db) click to toggle source
# File lib/jungle_path/app/auth/authorization.rb, line 44
def self.authorized_admin? request, params, current_auth, db
        authorized = false
        if current_auth.has_permission?(:admin)
                # auth_admin not allowed to deal with root users/keys/roles...

                authorized = true

                parts = request.path_info.split('/')

                allowed = {
                        'organizations' => true,
                        'user_organizations' => true,
                        'images' => true,
                        'sentiment_sets' => true,
                        'events' => true,
                        'sessions' => true,
                        'moderators' => true,
                        'foci' => true,
                        'categories' => true
                }

                if request.path_info == "/users" # post...
                        role_id = params[:role_id]
                        authorized = false if role_id and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) # :auth_admin not allowed to add a root user_role.

                elsif parts[1] == "users" # put or delete
                        user_id = parts[2].to_i
                        role_id = params[:role_id]
                        authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id) # :auth_admin not allowed to modify data related to a user with a role of root.
                        authorized = false if authorized and role_id and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id) # :auth_admin not allowed to add a root user_role.

                elsif request.path_info == "/user_roles" # post...
                        user_id = params[:user_id]
                        role_id = params[:role_id]
                        authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id)
                        authorized = false if authorized and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id)

                elsif parts[1] == "user_roles" # put or delete
                        user_id = parts[2].to_i
                        role_id = parts[3].to_i
                        authorized = false if JunglePath::SQL::UserRole.has_root_role_by_user_id(db, user_id)
                        authorized = false if authorized and JunglePath::SQL::UserRole.is_root_role_by_role_id(db, role_id)

                elsif allowed[parts[1]]
                        authorized = true

                else
                        authorized = false
                end
        end
        authorized
end

Public Instance Methods

set_authorization(route_access) click to toggle source
# File lib/jungle_path/app/auth/authorization.rb, line 7
def set_authorization route_access
        before do
                puts "verb: #{request.request_method}."
                puts "path: #{request.path_info}."

                authorized = false

                authorized = JunglePath::Authorization::Paths.is_open_path?(request, route_access)
                authorized = JunglePath::Authorization::Paths.is_authenticated_path?(request, route_access) unless authorized

                unless authorized
                        if request.get?
                                authorized = true if current_auth.has_permission?(:root)
                                authorized = true if current_auth.has_permission?(:read)
                        end

                        if request.post? or request.put? or request.delete?
                                authorized = true if current_auth.has_permission?(:root) unless authorized
                                authorized = true if current_auth.has_permission?(:write) unless authorized
                                authorized = true if request.path_info == "/query" and current_auth.has_permission?(:read) unless authorized
                                authorized = true if request.path_info == "/users/#{current_user.id}" unless authorized
                                authorized = true if Auth::Authorization.authorized_admin?(request, params, current_auth, db) unless authorized
                                authorized = false if current_auth.has_restriction?(:read)
                        end

                        authorized = false if current_auth.has_restriction?(:query_only) unless JunglePath::Authorization::Paths.is_query_only_path? request, current_auth
                end

                unless authorized
                        message = "request was not allowed.\n\nrequest: #{request.request_method} #{request.path_info}\nuser_name: #{current_user.user_name}\nroles: #{current_auth.roles}\npermissions: #{current_auth.permissions}\nrestrictions: #{current_auth.restrictions}"
                        # http status code 403 Forbidden.
                        puts "request status: 403\n#{message}."
                        halt 403, message
                end
        end
end