Rails - Oct 2011 - [Wanted] A gem that handles authentication AND authorization for me

Hi All!

I am searching for a gem that handles authentication and authorization
at the same time for me.

I tried several combinations of different authentication and
authorization gems, but even if the combinations worked, I dont get
comfortable with them. I dislike the fact to configure so many things
in so many places...

Therefore I am searching for a gem that handles both for me and is
easy to configure.

It should work with rails 3.1 and have configurable roles. +1 if I can
add own roles. +2 if I can assign the roles per object and dont have
to assign them system wide...

To clarify the +2:
Lets say I have a forum and a blog with the same user base. I have the
admin role in both places and may do everything everywhere.
A normal user without special rights is allowed to read and comment in
the blog and to write in the forum.
The user "klaus" is an author for blogposts but has no special rights
in the forum, so there he is a normal user.
On the other Hand there is "alfred" who is allowed to moderate the
forum but not allowed to do anything more than comments and reading in
the blog.
There could be a third user that is allowed to write articles in the
blog and moderate the forum...
With the authorization gems I found and tried so far I had to define
systemwide roles that had to implement different behaviour for the
subsystems, so I had the following roles in this simple scenario:
owner -> Overall side admin
blog_author_and_forum_mod -> Is allowed to use full blog and moderate
in the forum
only_blog_author -> Is allowed to use the blog but is a simple user in the
forum
only_forum_mod -> Is allowed to moderate the forum, but is not allowed
to create his own blogsposts
user -> standarduser as described above
guest -> Read-Only, is not allowed to comment or write in the forum.

If there are other subsystems added or hidden forums this will get
much more complicated...

TIA
Norbert

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

I personally use devise for authentication.  With some simple code you 
can roll your own authorization system.

You can use in your user table:
t.boolean :admin, :default => false

In your application controller:

helper_method :require_admin

  def admin_user
    if current_user && current_user.admin == true
   end
  end


  def require_admin
   unless current_user && current_user.admin
   access_denied
   end
  end

  def access_denied
   redirect_to root_url
   flash[:notice] = "Cannot access that page!"
  end

Then use require_admin as a before filter in your controllers.

-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

2011/10/14, Sean Six
<lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>:
> I personally use devise for authentication.  With some simple code you
> can roll your own authorization system.
>
> You can use in your user table:
> t.boolean :admin, :default => false
Yeah, cool...
t.boolean :forum_mod, :default => false
t.boolean :blog_poster, :default => false
t.boolean :may_see_hidden_forum_number1, :default => false
t.boolean :and_so_on, :default => false

This is what I not wanted to do...

Additionally I think that the controller should not more about the
user as what is absolutely necessary. As I understand the hole
mechanisms, authorization should be part of the model, or at least of
another subsystem...

If it would be possible I would even let the the database handle the
users and create a single databaseuser for every user of my page and
handle his permissions to the tables by the database as approach for
authorization AND authentication at the same time, but I cant do this
because 1) I dont know how to do this in rails and 2) my hoster does
not allow more than one dbuser for free...

With this argumentation cancan + any authentication system is more
what I want then your approach. But I prefer to have authentication
and authorization in one single system.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

For some reason everyone seems to always go for right Devise (like a
moth to a flame). Nothing wrong with that, but I''ve always found
OmniAuth to be far more superior: https://github.com/intridea/omniauth

Depending on who your provider is and what they''re using for
authentication/authorization, it''s quite easy to accomplish both
simultaneously in one flow. Google uses a hybrid OpenID approach
mixing in oauth authentication as part of the login flow and Facebook
does the same with connect.

OmniAuth is easy to use and well supported by the talented crew over
at Intridea. I''ve used it personally many times for Google, Facebook,
Twitter, and Vimeo, but it supports many more providers. If the
provider you''re looking for isn''t there, it''s quite
easy to add an
extension for them.

On Oct 14, 9:03 am, Norbert Melzer
<timmel...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
wrote:
> Hi All!
>
> I am searching for a gem that handles authentication and authorization
> at the same time for me.
>
> I tried several combinations of different authentication and
> authorization gems, but even if the combinations worked, I dont get
> comfortable with them. I dislike the fact to configure so many things
> in so many places...
>
> Therefore I am searching for a gem that handles both for me and is
> easy to configure.
>
> It should work with rails 3.1 and have configurable roles. +1 if I can
> add own roles. +2 if I can assign the roles per object and dont have
> to assign them system wide...
>
> To clarify the +2:
> Lets say I have a forum and a blog with the same user base. I have the
> admin role in both places and may do everything everywhere.
> A normal user without special rights is allowed to read and comment in
> the blog and to write in the forum.
> The user "klaus" is an author for blogposts but has no special
rights
> in the forum, so there he is a normal user.
> On the other Hand there is "alfred" who is allowed to moderate
the
> forum but not allowed to do anything more than comments and reading in
> the blog.
> There could be a third user that is allowed to write articles in the
> blog and moderate the forum...
> With the authorization gems I found and tried so far I had to define
> systemwide roles that had to implement different behaviour for the
> subsystems, so I had the following roles in this simple scenario:
> owner -> Overall side admin
> blog_author_and_forum_mod -> Is allowed to use full blog and moderate
> in the forum
> only_blog_author -> Is allowed to use the blog but is a simple user in
the forum
> only_forum_mod -> Is allowed to moderate the forum, but is not allowed
> to create his own blogsposts
> user -> standarduser as described above
> guest -> Read-Only, is not allowed to comment or write in the forum.
>
> If there are other subsystems added or hidden forums this will get
> much more complicated...
>
> TIA
> Norbert
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

I personally use Devise + CanTango (a roles layer on top of CanCan, an
authorization provider) and it''s really really easy to set it up and
get
going. You should really try the combo out.

On Sun, Oct 16, 2011 at 2:22 AM, Brandon Black
<brandonmblack-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
> For some reason everyone seems to always go for right Devise (like a
> moth to a flame). Nothing wrong with that, but I''ve always found
> OmniAuth to be far more superior: https://github.com/intridea/omniauth
>
> Depending on who your provider is and what they''re using for
> authentication/authorization, it''s quite easy to accomplish both
> simultaneously in one flow. Google uses a hybrid OpenID approach
> mixing in oauth authentication as part of the login flow and Facebook
> does the same with connect.
>
> OmniAuth is easy to use and well supported by the talented crew over
> at Intridea. I''ve used it personally many times for Google,
Facebook,
> Twitter, and Vimeo, but it supports many more providers. If the
> provider you''re looking for isn''t there, it''s
quite easy to add an
> extension for them.
>
> On Oct 14, 9:03 am, Norbert Melzer
<timmel...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> > Hi All!
> >
> > I am searching for a gem that handles authentication and authorization
> > at the same time for me.
> >
> > I tried several combinations of different authentication and
> > authorization gems, but even if the combinations worked, I dont get
> > comfortable with them. I dislike the fact to configure so many things
> > in so many places...
> >
> > Therefore I am searching for a gem that handles both for me and is
> > easy to configure.
> >
> > It should work with rails 3.1 and have configurable roles. +1 if I can
> > add own roles. +2 if I can assign the roles per object and dont have
> > to assign them system wide...
> >
> > To clarify the +2:
> > Lets say I have a forum and a blog with the same user base. I have the
> > admin role in both places and may do everything everywhere.
> > A normal user without special rights is allowed to read and comment in
> > the blog and to write in the forum.
> > The user "klaus" is an author for blogposts but has no
special rights
> > in the forum, so there he is a normal user.
> > On the other Hand there is "alfred" who is allowed to
moderate the
> > forum but not allowed to do anything more than comments and reading in
> > the blog.
> > There could be a third user that is allowed to write articles in the
> > blog and moderate the forum...
> > With the authorization gems I found and tried so far I had to define
> > systemwide roles that had to implement different behaviour for the
> > subsystems, so I had the following roles in this simple scenario:
> > owner -> Overall side admin
> > blog_author_and_forum_mod -> Is allowed to use full blog and
moderate
> > in the forum
> > only_blog_author -> Is allowed to use the blog but is a simple user
in
> the forum
> > only_forum_mod -> Is allowed to moderate the forum, but is not
allowed
> > to create his own blogsposts
> > user -> standarduser as described above
> > guest -> Read-Only, is not allowed to comment or write in the
forum.
> >
> > If there are other subsystems added or hidden forums this will get
> > much more complicated...
> >
> > TIA
> > Norbert
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

Declarative Authorization is one more choice. For authentication, you would
need user object in Crontroller#current_user and should user model need to
respond to role_symbols. you can find more details on
here<https://github.com/stffn/declarative_authorization>

Thanks,
Harun

On Sat, Oct 15, 2011 at 5:58 PM, Dheeraj Kumar
<a.dheeraj.kumar-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
> I personally use Devise + CanTango (a roles layer on top of CanCan, an
> authorization provider) and it''s really really easy to set it up
and get
> going. You should really try the combo out.
>
> On Sun, Oct 16, 2011 at 2:22 AM, Brandon Black
<brandonmblack-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
>
>> For some reason everyone seems to always go for right Devise (like a
>> moth to a flame). Nothing wrong with that, but I''ve always
found
>> OmniAuth to be far more superior: https://github.com/intridea/omniauth
>>
>> Depending on who your provider is and what they''re using for
>> authentication/authorization, it''s quite easy to accomplish
both
>> simultaneously in one flow. Google uses a hybrid OpenID approach
>> mixing in oauth authentication as part of the login flow and Facebook
>> does the same with connect.
>>
>> OmniAuth is easy to use and well supported by the talented crew over
>> at Intridea. I''ve used it personally many times for Google,
Facebook,
>> Twitter, and Vimeo, but it supports many more providers. If the
>> provider you''re looking for isn''t there,
it''s quite easy to add an
>> extension for them.
>>
>> On Oct 14, 9:03 am, Norbert Melzer
<timmel...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
>> > Hi All!
>> >
>> > I am searching for a gem that handles authentication and
authorization
>> > at the same time for me.
>> >
>> > I tried several combinations of different authentication and
>> > authorization gems, but even if the combinations worked, I dont
get
>> > comfortable with them. I dislike the fact to configure so many
things
>> > in so many places...
>> >
>> > Therefore I am searching for a gem that handles both for me and is
>> > easy to configure.
>> >
>> > It should work with rails 3.1 and have configurable roles. +1 if I
can
>> > add own roles. +2 if I can assign the roles per object and dont
have
>> > to assign them system wide...
>> >
>> > To clarify the +2:
>> > Lets say I have a forum and a blog with the same user base. I have
the
>> > admin role in both places and may do everything everywhere.
>> > A normal user without special rights is allowed to read and
comment in
>> > the blog and to write in the forum.
>> > The user "klaus" is an author for blogposts but has no
special rights
>> > in the forum, so there he is a normal user.
>> > On the other Hand there is "alfred" who is allowed to
moderate the
>> > forum but not allowed to do anything more than comments and
reading in
>> > the blog.
>> > There could be a third user that is allowed to write articles in
the
>> > blog and moderate the forum...
>> > With the authorization gems I found and tried so far I had to
define
>> > systemwide roles that had to implement different behaviour for the
>> > subsystems, so I had the following roles in this simple scenario:
>> > owner -> Overall side admin
>> > blog_author_and_forum_mod -> Is allowed to use full blog and
moderate
>> > in the forum
>> > only_blog_author -> Is allowed to use the blog but is a simple
user in
>> the forum
>> > only_forum_mod -> Is allowed to moderate the forum, but is not
allowed
>> > to create his own blogsposts
>> > user -> standarduser as described above
>> > guest -> Read-Only, is not allowed to comment or write in the
forum.
>> >
>> > If there are other subsystems added or hidden forums this will get
>> > much more complicated...
>> >
>> > TIA
>> > Norbert
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Talk" group.
>> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
>> To unsubscribe from this group, send email to
>>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
>> For more options, visit this group at
>> http://groups.google.com/group/rubyonrails-talk?hl=en.
>>
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>


-- 
Thanks,
Harun

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Fri, Oct 14, 2011 at 15:20, Norbert Melzer
<timmelzer-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> t.boolean :may_see_hidden_forum_number1, :default => false
> t.boolean :and_so_on, :default => false
>
> This is what I not wanted to do...
Correct.  Any time you have a _number1 and_so_on, that''s a smell that
indicates a need to break out the association into a separate class
(or at least table).

In this case, maybe something like having a set of user roles, whereby
a given forum may require one or more (or perhaps *any of* several?)
roles in order to administer it, or see it, or whatever, and users
have zero or more roles.

For instance, let''s say your project is a gathering place with forums
for assorted aspects of various religions.  (For instance, you may
have Hebrew Lessons and Daily Torah Reading for the Jews; Arabic
Lessons and Daily Quran Reading for the Muslims; Talking with your
Mouth Full and Daily Sauce Recipe for the Pastafarians; and so on.)
To prevent holy flame wars, you don''t want the members each of them to
even see the existence of the other religions'' forums.  Each forum
could have an optional role required in order to see it, and each user
could have zero or more roles.  (More than one, in case you trust
someone to see the forums of multiple religions.)  Or, you could have
multiple roles per forum, which raises the question of whether you
want to require *any* of them, *all* of them, or something more
complex.

-Dave

-- 
LOOKING FOR WORK! What: Ruby (on/off Rails), Python, other modern languages.
Where: Northern Virginia, Washington DC (near Orange Line), and remote work.
davearonson.com (main) * codosaur.us (programing) * dare2xl.com (excellence)
Specialization is for insects. (Heinlein) - Have Pun, Will Babble! (Aronson)

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.