Authorization
- Filed under Security & Protection
- Developed by Bill Katz (DocSavage)
TO DO + Add Right model generator and DB-backed way of handling rights in addition to inlined "permit" checks + Added namespacing to @options instance variable to prevent possible name clashes + Add test generator instead of handling tests in test apps + Add support for groups + Extend grammar to allow "(admin or moderator or some_role) of some_model" (?) [Chris Hapgood] + Extend coverage to models. Look at Bruce Perens's ModelSecurity and access with_scope. (9/3006 - Recently investigated extension to model and the most programmer-friendly DSLs may require too much hacking on ActiveRecord.) CHANGES (from most recent to oldest)
SVN * Performance improvement for has_role? [Sean Geoghegan] * Allow customization of message on redirection after failed authorization (:redirect_message option) [Joey Geiger] * Patch to allow authorizable objects that use single table inheritance (STI) [Sean Geoghegan]
1.0 release (Sept 13, 2006) * Added attr_protected for habtm and has_many role ids to block security concern if developers use update_attributes(params[:auth_obj]) on an authorizable object [Michael Schuerig] * Use before_filter rather than prepend_before_filter so necessary instance variables (and methods) can be established before trying authorization checks. This fix came about for Mephisto blog where a class-level permit "admin of site" was used. The site attribute was set in a before_filter. If you prepend your authorization filter, it will execute before any other before_filter, which is probably not a good idea. * Add "about" yaml for future Rails plugin directory. * Cleaned up exception handling a little [due to suggestion by Michael Schuerig] * Add generator for role model and migration, e.g., "script/generate role_model Role". Role model must be called "Role" at this time. More general naming as a TO DO. * Removed simple_roles_table to simplify plugin. * Moved all files in Authorization namespace into /publishare subdirectory to reduce danger of clashes in load path [nod to Michael Schuerig]. * Small code refinement patch [Michael Schuerig] * The colon preceding a model name in the authorization expression is now optional. The parser uses accepted prepositions to disambiguate models from roles. * Change default parser from Recursive Descent parser to Eval parser. Currently implemented recursive descent parser doesn't handle left-sided boolean expressions well. Eval parser relies on Ruby (good thing), but wherever there's an eval, we have to be more careful. * Will start linking to and monitoring forum area at RubyForge http://rubyforge.org/forum/?group_id=1797 * Added changelog :) * Added return false to handle_redirection to short-circuit filters if redirect occurs. This is second fix to prevent double renders. * Changed the requires to pull files from the plugin directory. (Necessary for name conflicts between plugin and apps) * Minor fixes to update documentation
1.0 rc3 (July 19, 2006) * Fix to prevent double redirect * Fix to migration examples ... see svn log
Last updated: September 23, 2007 15:54
