Hi folks, I am working on Station, a Rails Engine [1] that supports authorization among other things. Using Station, you can ask a model about authorization, for example: post.authorize?(permission, :to => current_user) My question rises when doing automatic Model - Controller mapping. How coupled should be the action in the controller with the permission authorized in the model? Consider this resource: class PostsController authorization_filter end This could map the authorization to the post instance this way: * create Post.new.authorize?(:create, :to => current_user) * show Post.find(params[:id]).authorize?(:show, :to => current_user) I am not sure that the Controller actions should be mapped directly to the Model permissions. There are cases when an action requires several permissions, like: * edit Post.find(params[:id]).authorize?(:show, :to => current_user) && Post.find(params[:id]).authorize?(:update, :to => current_user) Maybe this mapping could be declared in the controller, maybe in the model... Can anyone shed light on this? [1] http://rstation.wordpress.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Antonio Tapiador del Dujo wrote:> Hi folks, > I am working on Station, a Rails Engine [1] that supports authorization > among > other things. > > Using Station, you can ask a model about authorization, for example: > > post.authorize?(permission, :to => current_user) > > My question rises when doing automatic Model - Controller mapping. How > coupled > should be the action in the controller with the permission authorized in > the > model?Philosophically, I agree with Ryan Bates'' approach in CanCan, which is to decouple authorization from everything, including all three layer of MVC. http://github.com/ryanb/cancan I say "philosophically" since I have not add the opportunity to implement CanCan in any of my projects yet. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Very interesting solution. And pretty similar to Station, btw. Many thanks for the link Robert! El Lunes, 26 de Abril de 2010 20:15:32 Robert Walker escribió:> Antonio Tapiador del Dujo wrote: > > Hi folks, > > I am working on Station, a Rails Engine [1] that supports authorization > > among > > other things. > > > > Using Station, you can ask a model about authorization, for example: > > > > post.authorize?(permission, :to => current_user) > > > > My question rises when doing automatic Model - Controller mapping. How > > coupled > > should be the action in the controller with the permission authorized in > > the > > model? > > Philosophically, I agree with Ryan Bates'' approach in CanCan, which is > to decouple authorization from everything, including all three layer of > MVC. > > http://github.com/ryanb/cancan > > I say "philosophically" since I have not add the opportunity to > implement CanCan in any of my projects yet. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.