forked from ManageIQ/manageiq
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauthorizer.rb
61 lines (49 loc) · 2.04 KB
/
authorizer.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
module Rbac
class Authorizer
include Vmdb::Logging
def self.role_allows?(*args)
new.role_allows?(*args)
end
def role_allows?(options = {})
user = options[:user]
# 'identifier' comes from the back end (ex: User#role_allows?)
# 'feature' comes from the front end (ex: ApplicationHelper#role_allows?)
# As this API is a combination of the two, 'feature' is considered
# an alias of 'identifier' for legacy purposes.
identifier = options[:identifier] || options[:feature]
# The 'identifiers' option comes from the former User#role_allows_any? API
# It should be noted that there may be only ONE caller using 'identifiers'
# in Menu::Section, so this option may be changed shortly.
identifiers = options[:identifiers]
any = options[:any]
auth = if any.present?
user_role_allows_any?(user, :identifiers => (identifiers || [identifier]))
else
user_role_allows?(user, :identifier => identifier)
end
_log.debug("Auth #{auth ? "successful" : "failed"} for user '#{user.userid}', role '#{user.miq_user_role.try(:name)}', feature identifier '#{identifier}'")
auth
end
private
def user_role_allows?(user, options = {})
return false if user.miq_user_role.nil?
return true if user.miq_user_role.allows?(options)
ident = options[:identifier]
parent = MiqProductFeature.feature_parent(ident)
return false if parent.nil?
if MiqProductFeature.feature_hidden(ident)
# return true for common features that are hidden and are under hidden parent
# return true if any visible siblings are entitled
if MiqProductFeature.feature_hidden(parent)
true
else
user.miq_user_role.allows_any?(:identifiers => MiqProductFeature.feature_children(parent))
end
end
end
def user_role_allows_any?(user, options = {})
return false if user.miq_user_role.nil?
user.miq_user_role.allows_any?(options)
end
end
end