[LRUG] [Off-Topic] Authorisation
Andrew Stewart
boss at airbladesoftware.com
Mon Jul 28 02:46:30 PDT 2008
Hola El Rug,
In my current Rails project I have a screen that lists all the people
who can log in. A person may update their own details, and an
administrator may update anyone's details.
So in the view I need to use that logic to determine whether or not to
show an edit link by each person. In the controller, I use that logic
to determine whether or not the current person (i.e. the person using
the app) can execute the edit and update actions (because they may
have typed the URL directly).
Right now I have repeat the logic in the view and the controller.
However I think the authorisation logic would be better off in the
model, perhaps with an is_editable_by?(person) method on the Person
object. But the model doesn't know anything about the current person
(which is why auditing plugins resort to hijacking Rails' caching
mechanism to track who does what to the models), so I can't see how to
enforce the authorisation in the model layer.
In a nutshell, I think that the authorisation logic should live in the
model layer, and the view and the controller should query the model to
find out what is allowed. However the model layer can't enforce the
rules; only the controller can.
Have I missed anything? Is there a better way to do this? I'd
appreciate your thoughts.
Regards,
Andy Stewart
-------
AirBlade Software Ltd
http://airbladesoftware.com
More information about the Chat
mailing list