We are a software consultancy based in Berlin, Germany.
We deliver
high quality web apps in short timespans.
We are a software consultancy based in Berlin, Germany.
We deliver
high quality web apps in short timespans.
June 03, 2008 by alex
We have again released a new plugin. Continuing the series of completely original names it’s called totally restful authorization.
The exec summary: you can declaratively add permissions to your (ActiveRecord) models for creating, viewing, updating and destroying them. A set of before filters automagically checks all incoming requests on your restful controllers for the permission and grants or denies access based on the permissions declared on the respective model.
Now with Rails 2.1 out all you have to do is script/plugin install git://github.com/langalex/totally-restful-authorization.git.
Include he PermissionCheck Module into the controllers you want to be checked or simply into the ApplicationController to secure your entire application.
class ApplicationController < ActionController::Base
include PermissionCheck
...
endSecond, declare permissions on your model using the built in domain specific language.
class User
updatable_by :admin # updatable if updater.admin? return true
updatable_by :self, :except => [:admin] # special role self, allow all attributes except some to be updated
updatable_by :newbie, :only => [:description] # only allow some attribute to be updated
viewable_by :anyone # special role, includes nil
destroyable_by [:admin, :root] # declare multiple roles at once
endThat’s it. From now on all requests will be checked against your model permissions and be blocked if the authorization fails. For more details see the README and the unit tests. (Btw. if anyone has a good idea on how to replace the controller tests with RSpec specs, i.e. get controller specs working in a plugin please tell me)