I already have a simple role based access control system (User, Role, Privilege, Client) in place for my web layer, which checks User.authorized?(controller, action, client) from a before filter. What do you think about using this method for auth checks on the model layer as well, only with made up controller/action strings? (e.g. "model::Period", "close") A bit simplistic for a multi user/client accounting system? I''m certainly open for better suggestions, especially if they could improve ease of use/maintenance. Any feedback appreciated, Isak
I don''t see why you would ever need to provide access control to your models. Access controls are for those things that the user can and cannot directly access. In a Rails app, those things are Controllers and items in the /public directory. No other parts of your Rails app are directly exposed, so none of those other parts need their own access controls... -Brian On May 16, 2006, at 06:30 AM, Isak Hansen wrote:> I already have a simple role based access control system (User, Role, > Privilege, Client) in place for my web layer, which checks > User.authorized?(controller, action, client) from a before filter. > > What do you think about using this method for auth checks on the model > layer as well, only with made up controller/action strings? (e.g. > "model::Period", "close") > > A bit simplistic for a multi user/client accounting system? I''m > certainly open for better suggestions, especially if they could > improve ease of use/maintenance. > > Any feedback appreciated, > Isak
>>>>> "Brian" == Brian Hughes <brianvh@alum.dartmouth.org> writes:> I don''t see why you would ever need to provide access control to your > models. Access controls are for those things that the user can and > cannot directly access. In a Rails app, those things are Controllers > and items in the /public directory. No other parts of your Rails app > are directly exposed, so none of those other parts need their own > access controls...It''s called "defense in depth". If you have security in every layer, you still have some protection if the security in one layer fails. If you only have one layer of security, you lose everything if it fails. -- Calle Dybedahl <calle@cyberpomo.com> http://www.livejournal.com/users/cdybedahl/ "I''d rather hang on to madness than normality" -- KaTe Bush