Skip to content

mikldt/authenticates_access

 
 

Repository files navigation

AuthenticatesAccess
===================

AuthenticatesAccess can be used to implement model-based authentication and
authorization features in your application. It is based around the concept
of "accessors", or model objects which are used as tokens to access other
model objects. Accessors might be users, groups, or sessions. 
AuthenticatesAccess allows the use of methods within the accessors or within
the accessed objects to determine whether certain actions should be allowed.

Example
=======

Models need to define the access restrictions which will apply. If the concept
of "ownership" is to be used, it is necessary to define which attribute 
refers to the object's owner. The owner should fill the role of accessor
in the application.

class User < ActiveRecord::Base
  # user has an is_admin attribute
  
  # don't let non-admins change the is_admin attribute
  authenticates_writes_to :is_admin, :with_accessor_method => :is_admin

  # allow users to save their own profile
  authenticates_saves :with => :allow_owner

  # allow admins to save the profile as well
  authenticates_saves :with_accessor_method => :is_admin

  # note that ownership doesn't confer all privileges!
  # has_owner :self means that the accessor's ID will be compared
  # with this object's own ID for the allow_owner test.
  has_owner :self

  # also, allow admins to save any user profile
  authenticates_saves :with_accessor_method => :is_admin 
end

class Comment < ActiveRecord::Base
  belongs_to :user

  # allow users to edit their own comments (but not others)

  # has_owner :user means that user.id will be compared to accessor.id
  # for the allow_owner test to pass.
  has_owner :user
  
  # register the ownership test for any saves
  authenticates_saves :with => :allow_owner

  # this will also allow admins to edit any comments
  authenticates_saves :with_accessor_method => :is_admin

  # this makes the creating user the owner of the comment
  autosets_owner_on_create
end

The application controller should set an accessor to be used:

class ApplicationController < ActionController::Base
  before_filter :setup_accessor

  protected

  def setup_accessor
    ActiveRecord::Base.accessor = logged_in_user
  end   

  def logged_in_user
    User.find(session[:user_id])
  end
end

The views may use methods to determine which attributes may currently 
be written, or whether the object may be modified at all.

<% if @user.allowed_to_save(:is_admin) %> 
<%= f.check_box :is_admin %>
<% end %>

<% if user.allowed_to_save %>
<%= link_to 'Edit', edit_user_path(user) %>
<% end %>

Copyright (c) 2009 Andrew H. Armenia, released under the MIT license.

About

Model-based authentication plugin for Rails + structure for authorizing reads, too!

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Ruby 100.0%