Authorization
- Filed under Security & Protection
- Developed by Bill Katz (DocSavage)
= Authorization plugin http://www.writertopia.com/developers/authorization This plugin provides a flexible way to add authorization to Rails. The authorization process decides whether a user is allowed access to some feature. It is distinct from the authentication process, which tries to confirm a user is authentic, not an imposter. There are many authentication systems available for Rails, e.g., acts_as_authenticated and LoginEngine. This authorization system will play nicely with them as long as some simple requirements are met: 1. User objects are available that implement a <tt>has_role?(role, authorizable_object = nil)</tt> method. This requirement can be easily handled by using <tt>acts_as_authorized_user</tt> in the User-like class. 2. If you want to use "role of model" authorization expressions, like "owner of resource" or "eligible for :award", then your models with roles must implement an <tt>accepts_role?(role, user)</tt> method. This requirement can be handled by using <tt>acts_as_authorizable</tt> in the model class. The authorization plugin provides the following: * A simple way of checking authorization at either the class or instance method level using #permit and #permit? * Authorization using roles for the entire application, a model class, or an instance of a model (i.e., a particular object). * Some english-like dynamic methods that draw on the defined roles. You will be able to use methods like "user.is_fan_of angelina" or "angelina.has_fans?", where a 'fan' is only defined in the roles table. * Pick-and-choose a mixin for your desired level of database complexity. For all the features, you will want to use "object roles table" (see below) == Steps in using the plugin 1. At the top of your config/environment.rb create an AUTHORIZATION_MIXIN constant and set it to "object roles" or "hardwired". (See init.rb in this plugin for how the role support is mixed in.) 2. Make sure your application provides a current_user method or something that returns the current user object. Add the constants in environment.rb to set your authentication system
Last updated: September 23, 2007 15:54
