class PIM::Authorization::Role

Attributes

hidden[R]

match_mode[R]

name[R]

permissions[R]

system[R]

Public Class Methods

from_json(hash) click to toggle source

Builds a Role from a JSON Hash (as produced by the Java Role.toJson method or the Ruby as_json output). Accepts either String or Symbol keys so callers don’t have to normalize the input coming through PIM::Services.__convert (which uses JSON.parse, String keys) or hand-built Ruby hashes (Symbol keys).

Uses allocate instead of the regular DSL constructor because the latter is tailored to data-model authoring (name + permissions + match: kwarg) and does not know how to reconstitute the +@hidden+ / +@system+ flags or the wire-format +“match”+ string. See the jruby-java-interop Cursor rule: Ruby must consume Hashes instead of live Java objects.

# File pim.rb, line 8109
def self.from_json hash
  return nil if hash.nil?
  name = PIM.get_value(hash, :name)
  permissions = (PIM.get_value(hash, :permissions) || []).map { |p| Permission.from_json(p) }
  match = PIM.get_value(hash, :match)
  match_mode = match ? match.to_sym : DEFAULT_MATCH_MODE
  role = allocate
  role.instance_variable_set(:@name, name)
  role.instance_variable_set(:@permissions, permissions)
  role.instance_variable_set(:@hidden, PIM.get_value(hash, :hidden) ? true : false)
  role.instance_variable_set(:@system, PIM.get_value(hash, :system) ? true : false)
  role.instance_variable_set(:@match_mode, match_mode)
  role
end

new(name, permissions, match_mode: DEFAULT_MATCH_MODE) click to toggle source

# File pim.rb, line 8089
def initialize name, permissions, match_mode: DEFAULT_MATCH_MODE
  @name = name
  @permissions = permissions
  @hidden = false
  @system = false
  @match_mode = match_mode
end

Public Instance Methods

as_json(opts = {}) click to toggle source

# File pim.rb, line 8124
def as_json opts = {}
  json = {
    :name => name,
    :permissions => permissions.map { |p| p.as_json(opts) },
    :hidden => hidden
  }
  # Emit +match+ only for non-default modes so existing golden masters
  # for role JSON stay diff-free.
  json[:match] = @match_mode.to_s if @match_mode && @match_mode != DEFAULT_MATCH_MODE
  json
end

get_matching_permissions(object_type, action, context = nil) click to toggle source

# File pim.rb, line 8158
def get_matching_permissions object_type, action, context = nil
  permissions = []
  @permissions.each do |p|
    permissions << p if p.matches?(object_type, action, context)
  end
  permissions
end

has_permission?(object_type, action, context = nil) click to toggle source

Within-role evaluation: returns the verdict of the last matching permission (reverse iteration), or false when no permission matches. Always reflects the within-role rule and is independent of match_mode - use +DataModel#has_permission?+ for the cross-role evaluator that honors match_mode.

# File pim.rb, line 8141
def has_permission? object_type, action, context = nil
  matching = matching_permission(object_type, action, context)
  matching ? matching.is_allowed? : false
end

hide() click to toggle source

# File pim.rb, line 8166
def hide
  @hidden = true
end

matching_permission(object_type, action, context = nil) click to toggle source

Returns the Permission that would decide the verdict for this (object_type, action, context) tuple under the within-role rule (last-match-wins / reverse iteration), or nil when no permission in this role mentions the tuple. Used by the cross-role evaluator to inspect is_allowed? before applying match_mode.

# File pim.rb, line 8151
def matching_permission object_type, action, context = nil
  @permissions.reverse_each do |p|
    return p if p.matches?(object_type, action, context)
  end
  nil
end