foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2006-Dec-18 14:35 UTC
Authorization on instances
I want to limit access to an instance of a model, so authorization based on an action wouldn''t suffice. Is there any plugin with this kind of functionality or am I on my own? Any hints? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 12/18/06, foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > I want to limit access to an instance of a model, so authorization > based on an action wouldn''t suffice. Is there any plugin with this kind > of functionality or am I on my own? Any hints?Just write the code in the model yourself. Here''s some untested code: class Book belongs_to :user end class User has_many :books def find_book(book_id) # Assumes we have a boolean ''admin'' field if admin? Book.find book_id else books.find book_id end end Then in your code, you can just do current_user.find_book params[:id] that kinda thing. Now the authorization is offloaded to the user model, and you don''t even have to worry about authorization in your client code. Alternatively, you could do a can_read? sort of method: def can_read?(book) admin? || !books.find_by_id(book.id).nil? end There''s certainly a way to make the can_read? method more efficient, but you get the idea. Those are two different approaches I would take, and it would depend on how I want to write my code. A lot of the times I prefer the first, because authorization is effective but transparent. A downside is that you don''t know whether a user is unauthorized or if the book just doesn''t exist...so if you want to treat those cases differently then you''ll prefer the second approach. Pat --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi, Le 18 déc. 06, à 15:35, foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org a écrit :> I want to limit access to an instance of a model, so authorization > based on an action wouldn''t suffice. Is there any plugin with this kind > of functionality or am I on my own? Any hints?I''m sure active_rbac can do this. You need to define your permissions for this though :-) Jean-Christophe Michel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2006-Dec-19 22:50 UTC
Re: Authorization on instances
On Dec 18, 6:45 pm, Jean-Christophe Michel <jc.mic...-/aRvmaKoZxNWk0Htik3J/w@public.gmane.org> wrote:> > I want to limit access to an instance of a model, so authorization > > based on an action wouldn''t suffice. Is there any plugin with this kind > > of functionality or am I on my own? Any hints?I''m sure active_rbac can do this. You need to define your permissions > for this though :-)Going through ActiveRBAC manual right now, and I still can''t find it. Can you point me to the section of the documentation that talks about this functionality? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 12/19/06, foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > I want to limit access to an instance of a model, so authorization > based on an action wouldn''t suffice. Is there any plugin with this kind > of functionality or am I on my own? Any hints?Bill Katz has released what looks like a great plugin for this. http://www.agilewebdevelopment.com/plugins/authorization --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2006-Dec-19 23:33 UTC
Re: Authorization on instances
On Dec 18, 3:51 pm, "Pat Maddox" <perg...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > I want to limit access to an instance of a model, so authorization > > based on an action wouldn''t suffice. Is there any plugin with this kind > > of functionality or am I on my own? Any hints?Just write the code in the model yourself. Here''s some untested code: > > class Book > belongs_to :user > end > > class User > has_many :books > > def find_book(book_id) > # Assumes we have a boolean ''admin'' field > if admin? > Book.find book_id > else > books.find book_id > end > end > > Then in your code, you can just do > current_user.find_book params[:id] > > that kinda thing. Now the authorization is offloaded to the user > model, and you don''t even have to worry about authorization in your > client code. Alternatively, you could do a can_read? sort of method: > > def can_read?(book) > admin? || !books.find_by_id(book.id).nil? > end > > There''s certainly a way to make the can_read? method more efficient, > but you get the idea. > > Those are two different approaches I would take, and it would depend > on how I want to write my code. A lot of the times I prefer the > first, because authorization is effective but transparent. A downside > is that you don''t know whether a user is unauthorized or if the book > just doesn''t exist...so if you want to treat those cases differently > then you''ll prefer the second approach.Damn, it seems Google eat my inspired post. It couldn''t possibly be me, oh no. :) Trying to recuperate now... My first post might have been a bit misleading. I''m not what you might call a skilled programmer, possibly not even a clear thinker. What I actually meant when writing "limiting access" is to ask about authorization on all of CRUD operations. Obviously I have to admit I''m struggling a bit with your example. Perhaps I should give my own. I''m trying to make some sort of a CMS for my school web site. Let''s say I have a model Course. There are some models related to the Course, like Announcement, Report, etc. I have to ensure that only authorized personnel can create, update and delete content for a specific course, make an announcement related to that course etc. So, Maths related personnel would make changes only to that instance of the Course model (and the instances of related models). There is probably going to be about two dozens of authorized users, possibly more, divided into groups which are going to be used for authorization management. But, first things first. So far I''ve found http://wiki.rubyonrails.org/rails/pages/ACLController and it looks promising. Only, I''m kind of cautious, since none of the plugins I''ve seen so far uses the same approach, they all deal with restricting access based on an action, not on URL. Are there any shortcomings I should be aware of regarding this article? What I''m looking for is hopefully some of plugin with this functionality, but I''ll settle with some article or tutorial about the issue. It couldn''t possibly be a unique problem, so I''m thinking there must be some good reference on the mighty net. It doesn''t even has to be strictly about RoR (see how desperate I am?) I''ve tried Googling, but perhaps not using the right keywords (not being native speaker doesn''t help either). I''m quite willing (and eager) to do my share of hard work, just need a pointing finger (probably to the obvious). Thanks for the patience (and for even reading this far). :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi, I would recommend reading chapters 4 and 5 of the ''ActiveRBAC Manual''. Good luck, -Conrad On 12/19/06, foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > On Dec 18, 3:51 pm, "Pat Maddox" <perg...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > I want to limit access to an instance of a model, so authorization > > > based on an action wouldn''t suffice. Is there any plugin with this > kind > > > of functionality or am I on my own? Any hints?Just write the code in > the model yourself. Here''s some untested code: > > > > class Book > > belongs_to :user > > end > > > > class User > > has_many :books > > > > def find_book(book_id) > > # Assumes we have a boolean ''admin'' field > > if admin? > > Book.find book_id > > else > > books.find book_id > > end > > end > > > > Then in your code, you can just do > > current_user.find_book params[:id] > > > > that kinda thing. Now the authorization is offloaded to the user > > model, and you don''t even have to worry about authorization in your > > client code. Alternatively, you could do a can_read? sort of method: > > > > def can_read?(book) > > admin? || !books.find_by_id(book.id).nil? > > end > > > > There''s certainly a way to make the can_read? method more efficient, > > but you get the idea. > > > > Those are two different approaches I would take, and it would depend > > on how I want to write my code. A lot of the times I prefer the > > first, because authorization is effective but transparent. A downside > > is that you don''t know whether a user is unauthorized or if the book > > just doesn''t exist...so if you want to treat those cases differently > > then you''ll prefer the second approach. > > Damn, it seems Google eat my inspired post. It couldn''t possibly be me, > oh no. :) Trying to recuperate now... > > My first post might have been a bit misleading. I''m not what you might > call a skilled programmer, possibly not even a clear thinker. What I > actually meant when writing "limiting access" is to ask about > authorization on all of CRUD operations. > > Obviously I have to admit I''m struggling a bit with your example. > Perhaps I should give my own. I''m trying to make some sort of a CMS for > my school web site. Let''s say I have a model Course. There are some > models related to the Course, like Announcement, Report, etc. I have to > ensure that only authorized personnel can create, update and delete > content for a specific course, make an announcement related to that > course etc. So, Maths related personnel would make changes only to that > instance of the Course model (and the instances of related models). > There is probably going to be about two dozens of authorized users, > possibly more, divided into groups which are going to be used for > authorization management. But, first things first. So far I''ve found > > http://wiki.rubyonrails.org/rails/pages/ACLController > > and it looks promising. Only, I''m kind of cautious, since none of the > plugins I''ve seen so far uses the same approach, they all deal with > restricting access based on an action, not on URL. Are there any > shortcomings I should be aware of regarding this article? > > What I''m looking for is hopefully some of plugin with this > functionality, but I''ll settle with some article or tutorial about the > issue. It couldn''t possibly be a unique problem, so I''m thinking there > must be some good reference on the mighty net. It doesn''t even has to > be strictly about RoR (see how desperate I am?) I''ve tried Googling, > but perhaps not using the right keywords (not being native speaker > doesn''t help either). I''m quite willing (and eager) to do my share of > hard work, just need a pointing finger (probably to the obvious). > Thanks for the patience (and for even reading this far). :) > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
foobar.user-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2006-Dec-20 10:51 UTC
Re: Authorization on instances
On Dec 20, 12:17 am, "Daniel N" <has....-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > I want to limit access to an instance of a model, so authorization > > based on an action wouldn''t suffice. Is there any plugin with this kind > > of functionality or am I on my own? Any hints?Bill Katz has released what looks like a great plugin for this. > > http://www.agilewebdevelopment.com/plugins/authorizationYes, this looks like something I should dwell on. Thanks everyone. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---