-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathtoken_ability.rb
106 lines (89 loc) · 2.85 KB
/
token_ability.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# frozen_string_literal: true
module Api
# Describes the abilities of someone accessing the API with an access token.
# Admins can read, write, and delete all scenarios, provided they have the correct scope in the token.
# Users can read public scenarios and scenarios where they are viewers.
# Users with write scope can create, update, and clone scenarios where they are collaborators.
# Users with delete scope can delete scenarios where they are owners.
class TokenAbility
include CanCan::Ability
def initialize(token, user)
@scopes = token[:scopes]
@user = user
allow_public_read
allow_read if read_scope?
allow_write if write_scope?
allow_delete if delete_scope?
end
private
# Methods to allow access to scenarios based on the role.
# Everyone can read public scenarios.
def allow_public_read
can :read, Scenario, private: false
end
def allow_read
if admin?
can :read, Scenario
else
can :read, Scenario, id: viewer_scenario_ids
end
end
def allow_write
can :create, Scenario
if admin?
# Admins with write scope can update and clone all scenarios.
can :update, Scenario
can :clone, Scenario
else
# Non-admins
# Allow updating unowned public scenarios except when any association exists.
can :update, Scenario, private: false
cannot :update, Scenario, private: false, id: ScenarioUser.pluck(:scenario_id)
# Allow updating scenarios where the user is a collaborator.
can :update, Scenario, id: collaborator_scenario_ids
# Allow cloning both unowned public scenarios and self-owned scenarios.
can :clone, Scenario, private: false
can :clone, Scenario, id: collaborator_scenario_ids
end
end
def allow_delete
if admin?
can :destroy, Scenario
else
can :destroy, Scenario, id: owner_scenario_ids
end
end
# Methods to get the scenario ids for the user based on the role.
def viewer_scenario_ids
ScenarioUser.where(
user_id: @user.id,
role_id: User::ROLES.key(:scenario_viewer)..
).pluck(:scenario_id)
end
def collaborator_scenario_ids
ScenarioUser.where(
user_id: @user.id,
role_id: User::ROLES.key(:scenario_collaborator)..
).pluck(:scenario_id)
end
def owner_scenario_ids
ScenarioUser.where(
user_id: @user.id,
role_id: User::ROLES.key(:scenario_owner)
).pluck(:scenario_id)
end
# Methods to check the scopes of the token.
def read_scope?
@scopes.include?('scenarios:read')
end
def write_scope?
@scopes.include?('scenarios:write')
end
def delete_scope?
@scopes.include?('scenarios:delete')
end
def admin?
@user&.admin?
end
end
end