Today I was writing an authentication filter to my controllers that
needed some parameters. That is what I did:
def self.verify_permission(permission, options={})
before_filter {|controller| controller.verify_permission(permission,
options)}
end
def verify_permission(permission, options)
# actual authentication code goes here
end
And check the permissions with, say:
verify_permission :manage_simulation, :simulation => 1 #just ficticious
Is it possible to do it with Rails directly with some syntax like the below?
before_filter :verify_permission, :parameters => [:manage_simulation,
{:simulation => 1}], :except => [:login]
If not, it is not complicated to implement, so is there any reasons why
this would be a bad idea?
Thanks in advance,
Rodrigo.
I assume you''re looking for a good way to implement authorization rules, in which case you might want to take a look at the following plugin: http://github.com/Fingertips/authorization-san And checkout this rails template for more examples on how to use it: http://github.com/Fingertips/rails-template HTH, Eloy On Nov 2, 2009, at 2:19 PM, Rodrigo Rosenfeld Rosas wrote:> > Today I was writing an authentication filter to my controllers that > needed some parameters. That is what I did: > > def self.verify_permission(permission, options={}) > before_filter {|controller| controller.verify_permission(permission, > options)} > end > def verify_permission(permission, options) > # actual authentication code goes here > end > > And check the permissions with, say: > > verify_permission :manage_simulation, :simulation => 1 #just > ficticious > > Is it possible to do it with Rails directly with some syntax like > the below? > > before_filter :verify_permission, :parameters => [:manage_simulation, > {:simulation => 1}], :except => [:login] > > If not, it is not complicated to implement, so is there any reasons > why > this would be a bad idea? > > Thanks in advance, > > Rodrigo. > > > >
Hi Eloy, thank you for your suggestion, but I don''t think it would satisfy my needs... In my case, a user has a role that can be attached to some conditions. For instance, the user ''manager'' has a role ''institution_admin'' only for institution ''manager_institution''... But anyway, that was just an example. I was really curious about filters supporting parameters directly. Best regards, Rodrigo. Em 02-11-2009 14:06, Eloy Duran escreveu:> I assume you''re looking for a good way to implement authorization > rules, in which case you might want to take a look at the following > plugin: http://github.com/Fingertips/authorization-san > And checkout this rails template for more examples on how to use it: http://github.com/Fingertips/rails-template > > HTH, > Eloy > > On Nov 2, 2009, at 2:19 PM, Rodrigo Rosenfeld Rosas wrote: > > >> Today I was writing an authentication filter to my controllers that >> needed some parameters. That is what I did: >> >> def self.verify_permission(permission, options={}) >> before_filter {|controller| controller.verify_permission(permission, >> options)} >> end >> def verify_permission(permission, options) >> # actual authentication code goes here >> end >> >> And check the permissions with, say: >> >> verify_permission :manage_simulation, :simulation => 1 #just >> ficticious >> >> Is it possible to do it with Rails directly with some syntax like >> the below? >> >> before_filter :verify_permission, :parameters => [:manage_simulation, >> {:simulation => 1}], :except => [:login] >> >> If not, it is not complicated to implement, so is there any reasons >> why >> this would be a bad idea? >> >> Thanks in advance, >> >> Rodrigo. >>
Hey Rodrigo,> Hi Eloy, thank you for your suggestion, but I don''t think it would > satisfy my needs... > > In my case, a user has a role that can be attached to some conditions. > For instance, the user ''manager'' has a role ''institution_admin'' only > for > institution ''manager_institution''...I don''t completely follow the explanation of the example, but that would probably be easy with authorization-san. It already supports the idea of ''role'' on an object. In all the projects we have used it, we haven''t found one scenario that we couldn''t solve. class InstitutionsController < ActionController::Base allow_access :institution_admin do # perform any checks and return truthy or falsy value end end> But anyway, that was just an example. I was really curious about > filters > supporting parameters directly.I''m not sure there is any reason to, since like I said we have been able to solve all situations we''ve come across. Besides that, I''m not sure that I find the examples you gave of how it would look like to be readable/understandable. Maybe it''s the example, maybe it''s me… Cheers, Eloy
Rodrigo Rosenfeld Rosas
2009-Nov-03 10:16 UTC
[off-topic] Re: Re: Controller filter parameters
Em 02-11-2009 15:05, Eloy Duran escreveu:> Hey Rodrigo, > > >> Hi Eloy, thank you for your suggestion, but I don''t think it would >> satisfy my needs... >> >> In my case, a user has a role that can be attached to some conditions. >> For instance, the user ''manager'' has a role ''institution_admin'' only >> for >> institution ''manager_institution''... >> > > I don''t completely follow the explanation of the example, but that > would probably be easy with authorization-san. It already supports the > idea of ''role'' on an object. > In all the projects we have used it, we haven''t found one scenario > that we couldn''t solve. > > class InstitutionsController< ActionController::Base > allow_access :institution_admin do > # perform any checks and return truthy or falsy value > end > end >I still can''t figure out how would be the complete use case with authorization-san. Let me put the examples in more detail. In my project, users have roles, which have permissions, as usual. But some roles are attached to some condition. In a role ''institution_admin'', a user should be attached to some specific existent institution. But if a user belongs to ''system_admin'' role, for instance, it shouldn''t be attached to any conditions. I have in User: has_many :roles, :through => :assignments And in Assignment, there is ''user_id'', ''role_id'' and an integer ''condition'' that could be null. The roles are fixed and I check that condition is filled in correctly depending on the role. There is a hash that maps the expected condition class to each role. If you think I could do the same with authorization-san, I would be glad to see a more in-depth example. Thank you, Rodrigo.
Hi Rodrigo,
Here is an example of what you probably want:
class User
has_many :roles
def institution_admin?
roles.any? { |r| r.label == ''institution_admin'' }
end
def system_admin?
roles.any? { |r| r.label == ''system_admin'' }
end
end
class InstitutionController < ApplicationController
allow_accesss(:system_admin)
allow_accesss(:institution_admin) do
@authenticated.institution == @institution
end
prepend_before_filter :find_institution
private
def find_institution
@institution = Institution.find(params[:id])
end
end
Can you restart this discussion on the Rails Talk list and CC Eloy and
me? This list is meant for discussing Rails core development.
Thanks,
Manfred
On Nov 3, 11:16 am, Rodrigo Rosenfeld Rosas <rr.ro...@gmail.com>
wrote:> Em 02-11-2009 15:05, Eloy Duran escreveu:
>
>
>
> > Hey Rodrigo,
>
> >> Hi Eloy, thank you for your suggestion, but I don''t think
it would
> >> satisfy my needs...
>
> >> In my case, a user has a role that can be attached to some
conditions.
> >> For instance, the user ''manager'' has a role
''institution_admin'' only
> >> for
> >> institution ''manager_institution''...
>
> > I don''t completely follow the explanation of the example, but
that
> > would probably be easy with authorization-san. It already supports the
> > idea of ''role'' on an object.
> > In all the projects we have used it, we haven''t found one
scenario
> > that we couldn''t solve.
>
> > class InstitutionsController< ActionController::Base
> > allow_access :institution_admin do
> > # perform any checks and return truthy or falsy value
> > end
> > end
>
> I still can''t figure out how would be the complete use case with
> authorization-san.
>
> Let me put the examples in more detail. In my project, users have roles,
> which have permissions, as usual.
>
> But some roles are attached to some condition. In a role
> ''institution_admin'', a user should be attached to some
specific existent
> institution.
>
> But if a user belongs to ''system_admin'' role, for
instance, it shouldn''t
> be attached to any conditions.
>
> I have in User:
>
> has_many :roles, :through => :assignments
>
> And in Assignment, there is ''user_id'',
''role_id'' and an integer
> ''condition'' that could be null. The roles are fixed and I
check that
> condition is filled in correctly depending on the role.
>
> There is a hash that maps the expected condition class to each role.
>
> If you think I could do the same with authorization-san, I would be glad
> to see a more in-depth example.
>
> Thank you,
>
> Rodrigo.
Hi Rodrigo,
The boolean accessors on the User model could probably be refactored,
but you get the idea.
class User < ActiveRecord::Base
has_many :roles
def institution_admin?
roles.any? { |r| r.label == ''institution_admin'' }
end
def system_admin?
roles.any? { |r| r.label == ''system_admin'' }
end
end
class InstitutionController
allow_accesss(:system_admin)
allow_accesss(:institution_admin) do
@authenticated.institution == @institution
end
prepend_before_filter :find_institution
private
def find_institution
@institution = Institution.find(params[:id])
end
end
Can we continue this discussion on Ruby on Rails: Talk? This list is
meant for discussions about Ruby on Rails core development.
Manfred
Hi Rodrigo,
The boolean accessors on the User model could probably be refactored,
but you get the idea.
class User < ActiveRecord::Base
has_many :roles
def institution_admin?
roles.any? { |r| r.label == ''institution_admin'' }
end
def system_admin?
roles.any? { |r| r.label == ''system_admin'' }
end
end
class InstitutionController
allow_accesss(:system_admin)
allow_accesss(:institution_admin) do
@authenticated.institution == @institution
end
prepend_before_filter :find_institution
private
def find_institution
@institution = Institution.find(params[:id])
end
end
Can we continue this discussion on Ruby on Rails: Talk? This list is
meant for discussions about Ruby on Rails core development.
Manfred
Sent from my colleagues'' Mac pro.
On Nov 3, 2009, at 11:16 AM, Rodrigo Rosenfeld Rosas wrote:
>
> Em 02-11-2009 15:05, Eloy Duran escreveu:
>> Hey Rodrigo,
>>
>>
>>> Hi Eloy, thank you for your suggestion, but I don''t think
it would
>>> satisfy my needs...
>>>
>>> In my case, a user has a role that can be attached to some
>>> conditions.
>>> For instance, the user ''manager'' has a role
''institution_admin'' only
>>> for
>>> institution ''manager_institution''...
>>>
>>
>> I don''t completely follow the explanation of the example, but
that
>> would probably be easy with authorization-san. It already supports
>> the
>> idea of ''role'' on an object.
>> In all the projects we have used it, we haven''t found one
scenario
>> that we couldn''t solve.
>>
>> class InstitutionsController< ActionController::Base
>> allow_access :institution_admin do
>> # perform any checks and return truthy or falsy value
>> end
>> end
>>
> I still can''t figure out how would be the complete use case with
> authorization-san.
>
> Let me put the examples in more detail. In my project, users have
> roles,
> which have permissions, as usual.
>
> But some roles are attached to some condition. In a role
> ''institution_admin'', a user should be attached to some
specific
> existent
> institution.
>
> But if a user belongs to ''system_admin'' role, for
instance, it
> shouldn''t
> be attached to any conditions.
>
> I have in User:
>
> has_many :roles, :through => :assignments
>
> And in Assignment, there is ''user_id'',
''role_id'' and an integer
> ''condition'' that could be null. The roles are fixed and I
check that
> condition is filled in correctly depending on the role.
>
> There is a hash that maps the expected condition class to each role.
>
> If you think I could do the same with authorization-san, I would be
> glad
> to see a more in-depth example.
>
> Thank you,
>
> Rodrigo.
>
>
> >