[LRUG] [Off-Topic] Authorisation

Anthony Green Anthony.Green at bbc.co.uk
Mon Jul 28 02:51:56 PDT 2008 


I think theres some early railscasts on this:

http:://www.railscasts.com



On 28/7/08 10:46, "Andrew Stewart" <boss at airbladesoftware.com> wrote:

> Hola El Rug,
> 
> In my current Rails project I have a screen that lists all the people
> who can log in.  A person may update their own details, and an
> administrator may update anyone's details.
> 
> So in the view I need to use that logic to determine whether or not to
> show an edit link by each person.  In the controller, I use that logic
> to determine whether or not the current person (i.e. the person using
> the app) can execute the edit and update actions (because they may
> have typed the URL directly).
> 
> Right now I have repeat the logic in the view and the controller.
> However I think the authorisation logic would be better off in the
> model, perhaps with an is_editable_by?(person) method on the Person
> object.  But the model doesn't know anything about the current person
> (which is why auditing plugins resort to hijacking Rails' caching
> mechanism to track who does what to the models), so I can't see how to
> enforce the authorisation in the model layer.
> 
> In a nutshell, I think that the authorisation logic should live in the
> model layer, and the view and the controller should query the model to
> find out what is allowed.  However the model layer can't enforce the
> rules; only the controller can.
> 
> Have I missed anything?  Is there a better way to do this?  I'd
> appreciate your thoughts.
> 
> Regards,
> 
> Andy Stewart
> 
> -------
> AirBlade Software Ltd
> http://airbladesoftware.com
> 
> 
> 
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org

-- 
Anthony Green
Client Side Developer
Future Media & Technology for BBC Audio & Music Interactive


http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the Chat mailing list