We are a software consultancy based in Berlin, Germany. We deliver
high quality web apps in short timespans.

Upstream Agile GmbH

New plugin: totally restful authorization

June 03, 2008 by alex

We have again released a new plugin. Continuing the series of completely original names it’s called totally restful authorization.

The exec summary: you can declaratively add permissions to your (ActiveRecord) models for creating, viewing, updating and destroying them. A set of before filters automagically checks all incoming requests on your restful controllers for the permission and grants or denies access based on the permissions declared on the respective model.

How to install

Now with Rails 2.1 out all you have to do is script/plugin install git://github.com/langalex/totally-restful-authorization.git.

How to use

Include he PermissionCheck Module into the controllers you want to be checked or simply into the ApplicationController to secure your entire application.

class ApplicationController < ActionController::Base
  include PermissionCheck

  ...
end

Second, declare permissions on your model using the built in domain specific language.

class User
  updatable_by :admin # updatable if updater.admin? return true

  updatable_by :self, :except => [:admin] # special role self, allow all attributes except some to be updated

  updatable_by :newbie, :only => [:description] # only allow some attribute to be updated


  viewable_by :anyone # special role, includes nil


  destroyable_by [:admin, :root] # declare multiple roles at once

end

That’s it. From now on all requests will be checked against your model permissions and be blocked if the authorization fails. For more details see the README and the unit tests. (Btw. if anyone has a good idea on how to replace the controller tests with RSpec specs, i.e. get controller specs working in a plugin please tell me)