diff options
| author | Robert | 2017-07-05 16:52:44 +0200 |
|---|---|---|
| committer | Robert | 2017-07-06 08:37:18 +0200 |
| commit | b09994a4ee79f735f9b3f43535c6d138c4b68a56 (patch) | |
| tree | 92b244bc9d9d4d8e792d0129793ceb553738afd1 /DEVNOTES.md | |
| parent | e53aa88c442bd0057c4e0ae66e2684d62d3193ed (diff) | |
| download | chouette-core-b09994a4ee79f735f9b3f43535c6d138c4b68a56.tar.bz2 | |
Refs:#3478@10h;
Policy Refactoring and Policy Test Completion
- All policies (and all permissions) under test.
- Common patterns and potential problems identified...
- ... and documented in DEVNOTES.md
- some simply refactorings
Diffstat (limited to 'DEVNOTES.md')
| -rw-r--r-- | DEVNOTES.md | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/DEVNOTES.md b/DEVNOTES.md new file mode 100644 index 000000000..01f58fa0f --- /dev/null +++ b/DEVNOTES.md @@ -0,0 +1,62 @@ + +# Authorization Logic in Policies + +## Base Rules + +### ApplicationPolicy + +Policies inheriting from the `ApplicationPolicy` authorize _Undestructive_ _Permissions_ whiche are `index?` and +`show?`. And forbid _Destructive_ _Permissions_ which are `create?`, `destroy?` & `update`. + +These _CRUD_ permissions are tied to to _Action_ permissions, `delete?`→ `destroy?`, `edit?` → `update? and `new?`→ `create?`. + +These three _Action_ permissions are not supposed to be overriden in `ApplicationPolicy` subclasses. + + +### Common Policy Types + +There are two common policy types. + +#### Read Only Type Policy + +This corresponds to inheriting from `ApplicationPolicy` without overriding one of the five aforementioned _CRUD_ permissions. + +The following Policies are of this type. + + - `Company` + - `GroupOfLine` + - `Line` + custom + - `Network` + - `StopArea` + +#### Standard Type Policy + +The standard type policy inherits from `ApplicationPolicy` does not override any _Undesructive_ _Pemission_ but overrides the _Destructive_ ones. + +Normally, but not always they are overriden as follows + +```ruby + def <destructive>? + !archived? && organisation_match? && user.has_permission('<resource in plural form>.<action>') + end +``` + +There are some variations (**TO BE CLARIFIED**) concerning `organisation_match?`. + +The following Policies are of this type. + + - `AccessLink` + - `AccessPoint` + - `Calendar` (*) + - `ConnectionLink` + - `JourneyPattern` + - `Referential` + custom + - `Route` + - `RoutingConstraintZone` + - `TimeTable` + custom + +`Calendar` is a strange exception where no user permission is checked for the _destructive_ _permissions_. + + + + |