asquared / authenticates_access

Branches (1)
- master ✓
Tags (0)

Model-based authentication plugin for Rails — Read more

http://www.asquaredlabs.com/article/authenticates_access

This URL has Read+Write access

Merge commit 'origin/master'

asquared (author)

Sun Aug 02 20:26:37 -0700 2009

commit d9ab8883b1d956f87ef056809617d29d6abb83e8
tree 665dc28a028dde9825504b148f127dfc1e4e0f29
parent dc4f0fd4e94f06de5969fee66949389de6a1ef57 parent 083885025a90e01ed4137843e61db9838aad4a91

authenticates_access /

name	age	history message
.gitignore	Wed Jun 17 20:05:01 -0700 2009	added a bunch of testing related things DRY'd u... [asquared]
MIT-LICENSE		Loading commit data...
README	Wed Jun 17 13:20:13 -0700 2009	Added autosets_owner_on_create, bypass_auth { .... [asquared]
Rakefile
init.rb
install.rb	Tue Jun 16 19:47:40 -0700 2009	Committed initial version of authenticates_access [asquared]
lib/
tasks/	Tue Jun 16 19:47:40 -0700 2009	Committed initial version of authenticates_access [asquared]
test/	Sun Aug 02 20:26:37 -0700 2009	Merge commit 'origin/master' [asquared]
uninstall.rb	Tue Jun 16 19:47:40 -0700 2009	Committed initial version of authenticates_access [asquared]

README

AuthenticatesAccess
===================

AuthenticatesAccess can be used to implement model-based authentication and
authorization features in your application. It is based around the concept
of "accessors", or model objects which are used as tokens to access other
model objects. Accessors might be users, groups, or sessions. 
AuthenticatesAccess allows the use of methods within the accessors or within
the accessed objects to determine whether certain actions should be allowed.

Example
=======

Models need to define the access restrictions which will apply. If the concept
of "ownership" is to be used, it is necessary to define which attribute 
refers to the object's owner. The owner should fill the role of accessor
in the application.

class User < ActiveRecord::Base
  # user has an is_admin attribute
  
  # don't let non-admins change the is_admin attribute
  authenticates_writes_to :is_admin, :with_accessor_method => :is_admin

  # allow users to save their own profile
  authenticates_saves :with => :allow_owner

  # allow admins to save the profile as well
  authenticates_saves :with_accessor_method => :is_admin

  # note that ownership doesn't confer all privileges!
  # has_owner :self means that the accessor's ID will be compared
  # with this object's own ID for the allow_owner test.
  has_owner :self

  # also, allow admins to save any user profile
  authenticates_saves :with_accessor_method => :is_admin 
end

class Comment < ActiveRecord::Base
  belongs_to :user

  # allow users to edit their own comments (but not others)

  # has_owner :user means that user.id will be compared to accessor.id
  # for the allow_owner test to pass.
  has_owner :user
  
  # register the ownership test for any saves
  authenticates_saves :with => :allow_owner

  # this will also allow admins to edit any comments
  authenticates_saves :with_accessor_method => :is_admin

  # this makes the creating user the owner of the comment
  autosets_owner_on_create
end

The application controller should set an accessor to be used:

class ApplicationController < ActionController::Base
  before_filter :setup_accessor

  protected

  def setup_accessor
    ActiveRecord::Base.accessor = logged_in_user
  end   

  def logged_in_user
    User.find(session[:user_id])
  end
end

The views may use methods to determine which attributes may currently 
be written, or whether the object may be modified at all.

<% if @user.allowed_to_save(:is_admin) %> 
<%= f.check_box :is_admin %>
<% end %>

<% if user.allowed_to_save %>
<%= link_to 'Edit', edit_user_path(user) %>
<% end %>

Copyright (c) 2009 Andrew H. Armenia, released under the MIT license.

asquared / authenticates_access

Pledgie Donations