[LRUG] authorization plugins

Jon Wood jon at blankpad.net
Mon Oct 11 06:32:34 PDT 2010


Have a look at CanCan by Ryan Bates: http://github.com/ryanb/cancan/

It's not exactly what you're looking for, in that permissions are
defined in a different class to the model, but the API is close.

Jon

On 11 October 2010 14:30, Tim Cowlishaw <tim at timcowlishaw.co.uk> wrote:
> Hi chaps,
>
> Before I get too involved in rolling my own solution, I was wondering
> if any of you had a preferred plugin or library to handle
> authorization in rails applications?
>
> I basically need something that will allow me to define various roles
> that various user objects have in relation to various 'authorizable'
> objects, and allow or disallow each of the CRUD operations on that
> object / class of objects per role.
>
> This is vaguely the sort of API I was thinking of for my home-rolled solution:
>
>  #This is pseudocode
> class User < ActiveRecord::Base
>  has_and_belongs_to_many :authored_articles, :as => :author
>  has_and_belongs_to_many :articles, :as => :authorized_reader.
>
> end
>
> class Article < ActiveRecord::Base
>
>  has_and_belongs_to_many :authors, :class_name => "User"
>  has_and_belongs_to_many :authorized_readers, :class_name => "User"
>
>  def state
>  #arbitrary stuff happens here, this method returns either 'draft' or
> 'published'
>  end
>
>
> #Now for the bit I'm proposing
>
> include Authorizable
> access_allowed_by_default false
> viewable :by => :authorized_readers, :in_state => :published
> viewable :by => :authors, :in_state => :draft
> editable :by => :authors
> deletable :by => :authors
> end
>
> Thus,you can define authz rules declaratively in reference to
> membership of a particular collection of users, and some notion of the
> 'state' of an object. These can then be tested by calling
> Article#editable? and passing the user for which you're querying the
> permissions as an argument. I was vaguely considering eventually
> writing some rack middleware that could handle this transparently for
> RESTful URLs at some point in the future too.
>
> So, before I get cracking making this, has anyone come across anything
> similar that already exists to save me reinventing the wheel? I had a
> look at http://github.com/DocSavage/rails-authorization-plugin, but it
> appears to rely on its own model for user roles, rather than using
> existing relations in your data model, and seems perhaps a little
> heavyweight for my purposes. If not, would anyone apart from me find a
> library like this useful? If I do roll my own solution I'll definitely
> wrap it up as a plugin. Finally, authz seems like a slightly tricky
> thing to architect to me - setting up access control rules is
> definitely a model level concern, wheras checking the permissions
> assigned to the logged in user sits squarely in the domain of the
> controller (I don't think models should know about the current user
> session, personally). How much responsibility would you like to see
> each of these taking in an authz solution? (For example, would you
> prefer to check the authz rules explicitly in the controller for any
> action performed on an object, or would you rather forbidden actions
> caused a failed validation or raised an exception at the model level?
> The tradeoff in the latter case, in my opinion, is that the model
> needs to have knowledge of the current session for this to be
> possible, breaking down the model-controller barrier rather) If anyone
> else is crying out for such a plugin and has their own suggestions or
> requests for features beyond what I've outlined above, I'd be happy to
> hear them too!
>
> Cheers,
>
> Tim
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>



-- 
Jon Wood
Blank Pad Development

07827 888143



More information about the Chat mailing list