[LRUG] authorization plugins

Tim Cowlishaw tim at timcowlishaw.co.uk
Mon Oct 11 06:30:49 PDT 2010


Hi chaps,

Before I get too involved in rolling my own solution, I was wondering
if any of you had a preferred plugin or library to handle
authorization in rails applications?

I basically need something that will allow me to define various roles
that various user objects have in relation to various 'authorizable'
objects, and allow or disallow each of the CRUD operations on that
object / class of objects per role.

This is vaguely the sort of API I was thinking of for my home-rolled solution:

 #This is pseudocode
class User < ActiveRecord::Base
  has_and_belongs_to_many :authored_articles, :as => :author
  has_and_belongs_to_many :articles, :as => :authorized_reader.

end

class Article < ActiveRecord::Base

 has_and_belongs_to_many :authors, :class_name => "User"
 has_and_belongs_to_many :authorized_readers, :class_name => "User"

 def state
  #arbitrary stuff happens here, this method returns either 'draft' or
'published'
 end


#Now for the bit I'm proposing

include Authorizable
access_allowed_by_default false
viewable :by => :authorized_readers, :in_state => :published
viewable :by => :authors, :in_state => :draft
editable :by => :authors
deletable :by => :authors
end

Thus,you can define authz rules declaratively in reference to
membership of a particular collection of users, and some notion of the
'state' of an object. These can then be tested by calling
Article#editable? and passing the user for which you're querying the
permissions as an argument. I was vaguely considering eventually
writing some rack middleware that could handle this transparently for
RESTful URLs at some point in the future too.

So, before I get cracking making this, has anyone come across anything
similar that already exists to save me reinventing the wheel? I had a
look at http://github.com/DocSavage/rails-authorization-plugin, but it
appears to rely on its own model for user roles, rather than using
existing relations in your data model, and seems perhaps a little
heavyweight for my purposes. If not, would anyone apart from me find a
library like this useful? If I do roll my own solution I'll definitely
wrap it up as a plugin. Finally, authz seems like a slightly tricky
thing to architect to me - setting up access control rules is
definitely a model level concern, wheras checking the permissions
assigned to the logged in user sits squarely in the domain of the
controller (I don't think models should know about the current user
session, personally). How much responsibility would you like to see
each of these taking in an authz solution? (For example, would you
prefer to check the authz rules explicitly in the controller for any
action performed on an object, or would you rather forbidden actions
caused a failed validation or raised an exception at the model level?
The tradeoff in the latter case, in my opinion, is that the model
needs to have knowledge of the current session for this to be
possible, breaking down the model-controller barrier rather) If anyone
else is crying out for such a plugin and has their own suggestions or
requests for features beyond what I've outlined above, I'd be happy to
hear them too!

Cheers,

Tim



More information about the Chat mailing list