35 lines
1 KiB
Ruby
35 lines
1 KiB
Ruby
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
|
|
|
|
# We need a special UserContext when authorizing in controller context
|
|
# because of Token authentication which has it's own permissions
|
|
# See: https://github.com/varvet/pundit#additional-context
|
|
# We use a Delegator here to have transparent / DuckType access
|
|
# to the underlying User instance in the Policy
|
|
class UserContext < Delegator
|
|
|
|
def initialize(user, token = nil) # rubocop:disable Lint/MissingSuper
|
|
@user = user
|
|
@token = token
|
|
end
|
|
|
|
def __getobj__
|
|
@user
|
|
end
|
|
|
|
def permissions!(permissions)
|
|
raise Exceptions::Forbidden, 'Authentication required' if !@user
|
|
raise Exceptions::Forbidden, 'Not authorized (user)!' if !@user.permissions?(permissions)
|
|
return if !@token
|
|
return if @token.with_context(user: @user) { permissions?(permissions) }
|
|
|
|
raise Exceptions::Forbidden, 'Not authorized (token)!'
|
|
end
|
|
|
|
def permissions?(permissions)
|
|
permissions!(permissions)
|
|
true
|
|
rescue Exceptions::Forbidden
|
|
false
|
|
end
|
|
end
|