Rails - Aug 2006 - Authentication: UserEngine or own creation?

Hi all

I''m coding a project that needs a lot of authentication stuff... e.g. I
write sort of a profile area, where users can create their different 
profiles.
So I need to check if a user has the right to browse the profiles, if he 
has the right to change them all (as an admin) or the ones that belong 
to him etc. etc. This needs quite some logic...

Now I wonder whether to use the existing UserEngine for authentication 
stuff, or if I should write my own...
I guess that the UserEngine needs quite a lot of performance because it 
makes so many calls to the DB. And it only has controller/action pairs 
that it can validate, so I don''t think that it fits my needs.

I rather thought about creating my own system, that does not validate 
controller/action pairs, but "real" roles and permissions.

Semantic code:

class profiles_controller < ApplicationController
  def edit
    if user.has_right ''EDIT_PROFILES'' or user.belongs_to
''ADMINS''
      # do edit stuff
    else
      render :partial => ''permission_error''
    end
  end
end

What do you think about that? Do I miss something or is it really better 
to create my own authentication system rather than using the UserEngine? 
Or are there other authentication systems available for Rails apps?

Thanks a lot for your opinions. :-)
Joshua

-- 
Posted via http://www.ruby-forum.com/.

On Thursday, August 10, 2006, at 4:13 PM, Joshua Muheim
wrote:
>Hi all
>
>I''m coding a project that needs a lot of authentication stuff...
e.g. I
>write sort of a profile area, where users can create their different
>profiles.
>So I need to check if a user has the right to browse the profiles, if he
>has the right to change them all (as an admin) or the ones that belong
>to him etc. etc. This needs quite some logic...
>
>Now I wonder whether to use the existing UserEngine for authentication
>stuff, or if I should write my own...
>I guess that the UserEngine needs quite a lot of performance because it
>makes so many calls to the DB. And it only has controller/action pairs
>that it can validate, so I don''t think that it fits my needs.
>
>I rather thought about creating my own system, that does not validate
>controller/action pairs, but "real" roles and permissions.
>
>Semantic code:
>
>class profiles_controller < ApplicationController
>  def edit
>    if user.has_right ''EDIT_PROFILES'' or user.belongs_to
''ADMINS''
>      # do edit stuff
>    else
>      render :partial => ''permission_error''
>    end
>  end
>end
>
>What do you think about that? Do I miss something or is it really better
>to create my own authentication system rather than using the UserEngine?
>Or are there other authentication systems available for Rails apps?
>
>Thanks a lot for your opinions. :-)
>Joshua
>
>--
>Posted via http://www.ruby-forum.com/.
>_______________________________________________
>Rails mailing list
>Rails@lists.rubyonrails.org
>http://lists.rubyonrails.org/mailman/listinfo/rails
The user_engine is pretty good so long as you don''t need record level  
security.  It can do roles and controls access through controller/action  
pair permissions, as you noted.

It sounds like what you want to do is stick a before_filter before some  
specific  actions to deny access to a particular record if the current  
user is not the owner of that record.  You could do this....

before_filter :check_owner, :only=>[:edit_profile, ....]

def check_owner
  @item = Item.find(params[:id])
  unless @item.created_by == current_user.id
    flash[:notice] = "Access Denied"
    redirect_to :back
    return false
  end
end

I don''t know of any generic way to control record level access at the
moment.

_Kevin
www.sciwerks.com

-- 
Posted with http://DevLists.com.  Sign up and save your mailbox.

Thanks for your answer.

I just feel like the UserEngine is pretty slow, because it has to read 
quite a bit from the DB as soon as you get many controllers. E.g. every 
link_if_authorized seems to call the DB again, there''s no caching or 
stuff like that.

Is the UserEngine in use in bigger projects? Or do they rather rely on 
their own authentication implementation?

Btw. just stumbled over the table field "system role"...
what''s this?

Thanks and greets,
Josh

-- 
Posted via http://www.ruby-forum.com/.