Bruce,
I''ve just gotten the chance to take a look at the code somewhat,
and have two quick questions for you.
First, you note that the first test that returns ''true''
for an
attribute ends the permissions check. I might be missing something
from the code, but would it make more sense to continue the tests to
see if any declares the attribute as restricted?
Second, could explain the purpose of the class method
login_user? This has a comment that it needs to be fixed, and returns
nil for now, but I am curious as to its use later in the code. I
think I have an idea, but I''d like to make sure that it is the
correct one.
Other than that, this is nice code! Personally (and I am no
security expert), I believe that having multiple layers of security
is not a bad thing, even though, as you suggested, it may violate the
DRY principle. My feeling is that as long as it is not possible that
the combination of two layers makes the overall system less secure,
then adding another layer that may further restrict access is
certainly valuable for sensitive applications.
If I were to do the salted login generator over, I probably
would not have included internationalization support, so I am glad to
see that gone. While I believe this is important in the future, I
think it is overkill for the generator without support in the Rails
framework itself (or a better gem for overall app support of
internationalization). Also, I would remove transaction support, so I
am glad to see that gone as well. Unless plaintext passwords are
being mailed to users, I see no need for it (and even then, it is not
strictly necessary).
As for suggestions, I''ll give it some thought. The only one that
comes to mind immediately is that you may wish to consider using the
email address as the login id. I''ve gotten numerous requests for
this, and I think that it is probably the right way to go.
Do you have plans to turn this into a generator? I''d be happy to
help with that, and writing unit tests. I found them to be invaluable
when fixing bugs with the salted login generator.
Joe