[LRUG] [Off-Topic] Authorisation

Steve Butterworth steve at humbletechnologies.com
Mon Jul 28 03:00:07 PDT 2008


I think an is_editable_by? method on Person will encapsulate the logic 
nicely and the model doesn't have to know the current user as you are 
passing this in as a method argument.

 >> person1.is_editable_by?(current_user)

Sometimes I do go a step further with this kind of thing and set a class 
attribute on Person (acutally normally User) called current_user which 
is in a before filter in application_controller. This way models can get 
access to the current_user via User.current_user. This technique comes 
with a warning though because once you make assumptions in models about 
logged in users and access to them you are coupling your code (more 
specifically layers) more tightly than perhaps you want.

Steve

Andrew Stewart wrote:
> Hola El Rug,
>
> In my current Rails project I have a screen that lists all the people 
> who can log in.  A person may update their own details, and an 
> administrator may update anyone's details.
>
> So in the view I need to use that logic to determine whether or not to 
> show an edit link by each person.  In the controller, I use that logic 
> to determine whether or not the current person (i.e. the person using 
> the app) can execute the edit and update actions (because they may 
> have typed the URL directly).
>
> Right now I have repeat the logic in the view and the controller.  
> However I think the authorisation logic would be better off in the 
> model, perhaps with an is_editable_by?(person) method on the Person 
> object.  But the model doesn't know anything about the current person 
> (which is why auditing plugins resort to hijacking Rails' caching 
> mechanism to track who does what to the models), so I can't see how to 
> enforce the authorisation in the model layer.
>
> In a nutshell, I think that the authorisation logic should live in the 
> model layer, and the view and the controller should query the model to 
> find out what is allowed.  However the model layer can't enforce the 
> rules; only the controller can.
>
> Have I missed anything?  Is there a better way to do this?  I'd 
> appreciate your thoughts.
>
> Regards,
>
> Andy Stewart
>
> -------
> AirBlade Software Ltd
> http://airbladesoftware.com
>
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>




More information about the Chat mailing list