https://github.com/theopencms/active_permits

Acts as Active Permissions. Common Authorization Solution
https://github.com/theopencms/active_permits

Last synced: about 2 months ago
JSON representation

Acts as Active Permissions. Common Authorization Solution

• Host: GitHub
• URL: https://github.com/theopencms/active_permits
• Owner: TheOpenCMS
• License: mit
• Created: 2017-04-30T09:27:35.000Z (about 9 years ago)
• Default Branch: master
• Last Pushed: 2017-10-01T15:54:49.000Z (over 8 years ago)
• Last Synced: 2025-03-05T23:14:14.538Z (over 1 year ago)
• Language: Ruby
• Homepage:
• Size: 15.6 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

          
# ActivePermits

The Authorization Solution for TheOpenCMS

### Application controller

Close everything!

```ruby

class ApplicationController < ActionController::Base

  include ::ActivePermits::Controller

  rescue_from ::ActivePermits::AuthorizationException, with: :access_denied

  protect_from_forgery with: :exception

  before_action :authenticate_user!, if: :needs_authorization?

  before_action :authorize_action!,  if: :needs_authorization?

  before_action :set_resource!,      if: :needs_authorization?

  before_action :authorize_owner!,   if: :needs_authorization?

  private

  def needs_authorization?

    !devise_controller?

  end

  def access_denied

    redirect_back fallback_location: authorize_fallback_location,

      flash: {error: t('active_permits.access_denied')}

  end

```

### A Controller. Open only permitted actions!

```ruby

class UsersController < ApplicationController

  authorize_resource_name :user

  skip_before_action :authenticate_user!, if: :skip_authenticate_user?

  skip_before_action :authorize_action!,  if: :skip_authorize_action?

  skip_before_action :set_resource!,      if: :skip_set_resource?

  skip_before_action :authorize_owner!,   if: :skip_authorize_owner?

  private

  def set_resource!

    user_id = params[:id] || params[:user_id]

    @user = ::User.where(login: user_id).first

  end

  protected

  def skip_authenticate_user?

    %w[index show].include?(action_name)

  end

  def skip_authorize_action?

    %w[index show edit update].include?(action_name)

  end

  def skip_set_resource?

    %w[index profile].include?(action_name)

  end

  def skip_authorize_owner?

    %w[index show profile].include?(action_name)

  end

end

```

### Remove `Strong Parameters` code from Controllers

Use `permitted_params`

```ruby

class UsersController < ApplicationController

  def update

    if @user.update(permitted_params)

      redirect_to @user, notice: 'User was updated'

    else

      render 'users/edit'

    end

  end

end

```

**app/permissions/params/users_controller/update_action.rb**

```ruby

class UsersController::UpdateAction < ActivePermits::PermittedParams::Base

  def permitted_params

    if @controller.current_user.admin?

      @params.require(:user).permit!

    else

      @params.require(:user).permit(:login, :username, :email)

    end

  end

end

```

## License

The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).