Rails - Oct 2005 - Problems with simple RBAC implementation

I am trying to add a simple permissions system to my rails app.  At
first I was trying all sorts of complex RBAC systems but then found
this article:

http://randomoracle.org/2005/09/24/extensible-authorisation-for-rails

I used the ideas from the article to add the following to my
ApplicationController:

  before_filter :determine_privileges

  def determine_privileges
    if @session[:user]
      @roles = @session[:user].perms.split('','')
    else
      @roles = []
    end
  end

  def method_missing(method_id, *arguments)
    method_name = method_id.id2name

    if method_name =~ /([_a-z]+)_required$/
      unless $1.split(/_or_/).detect {|r| @roles.include? r }
        redirect_to @redirect and return false
      end
    else
      super unless method_name == ''index''
    end
  end

I added the "unless method_name == ''index''" because
it was croaking on
empty controllers that had views declared but no actions.  This code
basically reads a comma-separated list of roles from the database
(located in user.perms) and if a page is protected, it redirects
unauthorized users back to where they came from.

However, I''m still getting a problem for pages that I''m trying
to
protect.  On one controller I tried adding:

before_filter :login_required, :admin_required

It gets a stack overflow from too many recursive calls to redirect_to.
 I don''t really know where @redirect is coming from in the preceding
code.  Is that always there or is it something added by the author of
the post?  If so, is there a failsafe way to return the user to the
last page?

Thanks,

Carl Youngblood

Never mind, here is my simple fix for my problem.  I added an
after_filter that stores the current URL in the session so that it can
be redirected back to.  Sorry to pollute the list--I''m still learning
rails :)

# The filters added to this controller will be run for all controllers
in the application.
# Likewise will all the methods added be available for all controllers.
require_dependency "login_system"
class ApplicationController < ActionController::Base
  include LoginSystem
  model :user
  layout ''main''

  before_filter :determine_privileges
  after_filter :store_location

  def determine_privileges
    if @session[:user]
      @roles = @session[:user].perms.split('','')
    else
      @roles = []
    end
  end

  def store_location
    @session[:return_to] = @request.request_uri
  end

  def method_missing(method_id, *arguments)
    method_name = method_id.id2name

    if method_name =~ /([_a-z]+)_required$/
      unless $1.split(/_or_/).detect {|r| @roles.include? r }
        redirect_to @session[:return_to] and return false
      end
    else
      super unless method_name == ''index''
    end
  end

end