Created
November 13, 2009 17:11
-
-
Save tammersaleh/233994 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # I add authorization query methods to every ActiveRecord model (through ActiveRecord::Base). | |
| # | |
| # Each model is given the following methods: | |
| # | |
| # == Class methods: | |
| # | |
| # Model.creatable? | |
| # Model.creatable_by? user | |
| # | |
| # == Instance methods: | |
| # | |
| # @model.readable? | |
| # @model.readable_by? user | |
| # @model.editable? | |
| # @model.editable_by? user | |
| # @model.destroyable? | |
| # @model.destroyable_by? user | |
| # | |
| # == Customization | |
| # | |
| # The xxx_by? methods all return true by default, and should be redefined by | |
| # each model in turn. | |
| # | |
| # Each of the creatable?, readable?, editable? and destroyable? methods simply | |
| # delegate to the xxx_by? methods, using the currently logged in user. | |
| # | |
| # *Do not override the creatable?, readable?, editable? or destroyable? | |
| # methods.* | |
| module ActiveRecordSecurity | |
| module ClassMethods | |
| # Should the current user be able to create a record? | |
| def creatable? | |
| creatable_by?(user_from_session) | |
| end | |
| # Should the given user be able to create a record? This method should be | |
| # redefined inside the Model. | |
| def creatable_by?(user) | |
| true | |
| end | |
| # Returns the currently logged in user (via Authlogic) | |
| def user_from_session | |
| UserSession.find && UserSession.find.user | |
| rescue Authlogic::Session::Activation::NotActivatedError | |
| nil | |
| end | |
| end | |
| module InstanceMethods | |
| # Should the current user be able to read this record? | |
| def readable? | |
| readable_by?(user_from_session) | |
| end | |
| # Should the given user be able to read this record? This method should be | |
| # redefined inside the Model. | |
| def readable_by?(user) | |
| true | |
| end | |
| # Should the current user be able to edit this record? | |
| def editable? | |
| editable_by?(user_from_session) | |
| end | |
| # Should the given user be able to edit this record? This method should be | |
| # redefined inside the Model. | |
| def editable_by?(user) | |
| true | |
| end | |
| # Should the current user be able to destroy this record? | |
| def destroyable? | |
| destroyable_by?(user_from_session) | |
| end | |
| # Should the given user be able to destroy this record? This method should be | |
| # redefined inside the Model. | |
| def destroyable_by?(user) | |
| true | |
| end | |
| # Returns the currently logged in user (via Authlogic) | |
| def user_from_session | |
| self.class.user_from_session | |
| end | |
| end | |
| end | |
| class ActiveRecord::Base | |
| extend ActiveRecordSecurity::ClassMethods | |
| include ActiveRecordSecurity::InstanceMethods | |
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| should_be_creatable_by("administrator") { Factory(:administrator) } | |
| should_be_creatable_by("journalist") { Factory(:journalist) } | |
| should_be_creatable_by("company representative") { Factory(:company_representative) } | |
| should_not_be_creatable_by("guests") { nil } | |
| context "a note" do | |
| setup { @note = Factory(:note, :title => "A little note") } | |
| subject { @note } | |
| should_be_destroyable_by("administrator") { Factory(:administrator) } | |
| should_be_editable_by("administrator") { Factory(:administrator) } | |
| should_not_be_destroyable_by("owner") { @note.owner } | |
| should_not_be_editable_by("owner") { @note.owner } | |
| should_be_readable_by("guests") { nil } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment