-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
139 lines (82 loc) · 4.22 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
= Role-based Authorization for MVC-based web applications in Ruby
Authorization is a mixin that implements role-based authorization for MVC-based web applications in Ruby. It is meant to be an extremely simple implementation.
== Features
* Simple implementation of role-based authorization (~ 50 lines of code).
* Uses a whitelist approach. Everything is unauthorized by default, you explicitly specify what is authorized.
* Works with any authentication plugin (restful_authentication, authlogic, ...)
* Works with any MVC-based Ruby web framework (I have used it with Rails and Merb)
* Test suite using rspec
== Motivation
I've been using the role_requirement plugin in many Rails applications and it's an awesome plugin.
However, while using it I found that a whitelist approach was an easier way for me to think about authorization:
Using the Authorization mixin, everything is unauthorized by default, you explicitly specify which actions are authorized for each controller.
class FooController < ApplicationController
authorize :admin
authorize :public, :except => [:edit, :update, :destroy]
...
end
The role_requirement plugin is also specially tailored to Rails and restful_authentication. There are other awesome frameworks and authentication plugins out there.
However, if you need authorization for Rails and you already use restful_authentication, I recommend you to have a look at the role_requirement plugin, it can do a lot more for you (like generating your Role models with migrations).
== Install
Authorization is implemented as a single file (lib/authorization.rb), simply drop it into your lib/ folder or elsewhere.
== Getting Started (for Rails as an example)
1. Include the Authorization mixin into your application controller.
2. Set a before filter that calls the ensure_authorization! method. The method will throw a Authorization::Unauthorized exception if the authorization fails. Using rescue_for you can handle the exception.
3. The ensure_authorization! method expects a current_user method that returns the currently logged in user. It also expects to get the requested action from params[:action]. You could change those defaults by overriding the ensure_authorization! method, it is a one-liner method.
class ApplicationController
include Authorization
before_filter :ensure_authorization!
rescue_for Authorization::Unauthorized, :with => :render_401
def current_user
# Return logged in user.
end
...
end
Authorization also expects the class of the object returned from current_user (the User class) to have a has_role? method that checks whether the current user has the given role.
class User
def has_role?(role)
self.role == role
end
...
end
class FooController < ApplicationController
authorize :admin
authorize :public, :only => [:show, :index]
...
end
== Examples
Authorize the admin for all actions of the controller:
class FooController < ApplicationController
authorize :admin
...
end
You can authorize only specific actions:
class FooController < ApplicationController
authorize :manager, :only => [:index, :show]
...
end
You can authorize all actions except specified ones:
class FooController < ApplicationController
authorize :manager, :except => [:new, :create]
...
end
You can also specify multiple roles:
class FooController < ApplicationController
authorize [:admin, :manager]
...
end
You can authorize actions for all users including unauthenticated users (current_user returns nil):
class FooController < ApplicationController
authorize :public
...
end
You can combine authorization rules:
class FooController < ApplicationController
authorize :admin
authorize :public, :except => [:new, :create, :edit, :update, :destroy]
...
end
== Acknowledgements
Part of this mixin was inspired from the role_requirement plugin by Tim Charper: http://github.com/timcharper/role_requirement
Copyright (c) 2009 Jean-Sebastien Boulanger <[email protected]>, released under the MIT license
http://jsboulanger.com