1 class OrvosModel < ActiveRecord::Base
2 self.abstract_class = true
4 include CurrentApiClient # current_user, current_api_client, etc.
6 attr_protected :created_at
7 attr_protected :modified_by_user
8 attr_protected :modified_by_client
9 attr_protected :modified_at
10 before_create :ensure_permission_to_create
11 before_update :ensure_permission_to_update
12 before_create :update_modified_by_fields
13 before_update :maybe_update_modified_by_fields
15 def self.kind_class(kind)
16 kind.match(/^orvos\#(.+?)(_list|List)?$/)[1].pluralize.classify.constantize rescue nil
19 def eager_load_associations
20 self.class.columns.each do |col|
21 re = col.name.match /^(.*)_kind$/
23 self.respond_to? re[1].to_sym and
24 (auuid = self.send((re[1] + '_uuid').to_sym)) and
25 (aclass = self.class.kind_class(self.send(col.name.to_sym))) and
26 (aobject = aclass.where('uuid=?', auuid).first))
27 self.instance_variable_set('@'+re[1], aobject)
34 def ensure_permission_to_create
35 raise "Permission denied" unless permission_to_create
38 def permission_to_create
42 def ensure_permission_to_update
43 raise "Permission denied" unless permission_to_update
46 def permission_to_update
48 logger.warn "Anonymous user tried to update #{self.class.to_s} #{self.uuid_was}"
52 logger.warn "User #{current_user.uuid} tried to change uuid of #{self.class.to_s} #{self.uuid_was} to #{self.uuid}"
55 return true if current_user.is_admin
56 if self.owner_changed? and
57 self.owner_was != current_user.uuid and
58 0 == Link.where(link_class: 'permission',
60 tail_uuid: self.owner,
61 head_uuid: current_user.uuid).count
62 logger.warn "User #{current_user.uuid} tried to change owner of #{self.class.to_s} #{self.uuid} to #{self.owner}"
65 if self.owner == current_user.uuid or
66 current_user.is_admin or
67 current_user.uuid == self.uuid or
68 Link.where(link_class: 'permission',
70 tail_uuid: self.owner,
71 head_uuid: current_user.uuid).count > 0
74 logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{self.uuid} but does not can_write permission and owner is #{self.owner}"
79 def maybe_update_modified_by_fields
80 update_modified_by_fields if self.changed?
83 def update_modified_by_fields
84 self.created_at ||= Time.now
85 self.owner ||= current_user.uuid
86 self.modified_at = Time.now
87 self.modified_by_user = current_user.uuid
88 self.modified_by_client = current_api_client ? current_api_client.uuid : nil