Browse the Ruby on Rails Community.

You are here: Browse Railsplugins Base Auth

Base Auth

Best Authorization System Ever

Key concept

This plugin makes 2 assumptions:

- you have a current_user method in your controller which returns the currently signed in user which you want to check authorization for. - you check authorization using instance methods of your user objects

This worked really well for me so far, so there’s a slight chance it will also work for you.

Using as a before filter

Simple example:

class ArticleController < ApplicationController
  deny :user => :is_guest?
end

the above example will deny all guest access (will call current_user.is_guest? method to determine if the user is a guest or not). If you want to allow guests to list articles, but nothing more, use:

allow :index, :user => :is_guest?

or

allow :only => :index, :user => :is_guest?

if you want to allow every user who is guest OR admin, you’d go:

allow :index, :user => [ :is_guest?, :is_admin? ]

if you give an Array as :user value, at least one condition has to be met. For more sophisticated conditions you can pass a string, which will be instance_eval’d:

allow :index, :user => 'is_guest? or ( is_admin? and is_moderator? )'

Still, there are cases when you want to check something in the controller. In that case you can use :exec param instead of :user like this:

class ArticleController < ApplicationController
  allow :exec => :check_auth
end
def check_auth
  session[:allowed] == 'yes'
end

You can also pass a string, which will be eval’d, or a Proc, which will be called.

If you pass a method which accepts arguments, an object will be passed to it as a parameter. Which obejct? By default an instance variable named after singluarized controller name. So:

class ArticleController < ApplicationController
  allow :edit, :update, :user => :owns?
end

Will call current_user.owns?( @article ) to check for permission. You can override this by passing :object argument, which can be a Symbol (naming instance variable to be used) or the object itself.

By default an Authorization::PermisionDenied exception will be raised. You can also use :method parameter to specify which method should be called instead or :redirect_to to redirect user instead.

With :message parameter you can pass a message that will be stored in exception.

Using in actions

In actions you can use allow!, deny!, allow? and deny? methods. The ones with ’!’ will raise an exception, while the ones with ’?’ will only return true or false:

def destroy
  allow! :user => :owns?
  @article.destroy
end

Using in views

you can use allow and deny methods in your views and pass them a block to execute:

<% allow :user => :is_admin? do %> Only admins can see that! <% end>

<% deny :user => :is_guest? do %> You can’t see it if you’re a guest. <% end %>

Notes

If you’re using rails older than 2.0 rescuing exceptions can be a pain. For rails 1.2 I recommend using exceptional plugin:

http://agilewebdevelopment.com/plugins/exceptional

ToDo

- add support for :if parameted (should behave like the one in validations) - make it possible to configure default behavior (so you don’t have to pass :method parameter everywhere if you always want to call a method instead of raising exception) - better documentation

Credits & Licensing

The plugin was written by me. It’s distributed under MIT license.

By the way, people tend to call me Robert Nasiadek and you can reach me at <robert>.

NOTE: This description has been extracted from the Plugin README and so the formatting may need updating to make browser friendly

Edit Edit | Report Report

Users


See all details


Membership

+ Join this railsplugin

Record Maintainer

'None'