balinterdi / only_owner
- Source
- Commits
- Network (0)
- Issues (0)
- Downloads (0)
- Wiki (1)
- Graphs
-
Branch:
test_with_rails_app
A Rails plugin to facilitate access management of owner-type controller actions
| name | age | message | |
|---|---|---|---|
 |
MIT-LICENSE | Loading commit data...  |
|
| |
README | ||
| |
Rakefile | ||
| |
init.rb | ||
| |
install.rb | ||
 |
lib/ | ||
| |
tasks/ | ||
| |
test/ | ||
| |
uninstall.rb |
README
OnlyOwner ========= The plugin aims to leverage the recurring theme of granting access only to the owner of a resource. (e.g a user profile). Most of the time all actions of a controller, except the new-create action and possibly the index and show actions should only be allowed for the owner. The plugin provides an only_owner class method for ActionController which will deny access (return a 401 status head response) to protected actions for non-owners. It does this through adding a before_filter to the chain. The plugin supposes a few things about the available methods: 1. a current_user method is in scope in the controller and that it returns the currently active user of nil if no user is logged in. Another method can be given by passing the :current_user option. 2. a find_<resource_name_singular> is in scope and it returns the resource instance the user is fetching. This only makes sense for actions that operate on a given resource (edit, update, show(?), delete, destroy) but most of the time it is these actions that should be protected anyway. The method supposes that the intance's id is in params[:id]. If the method does not exist, the plugin can still find it using the params[:id] and the name of the model class (which it inferes from the controller name [TODO]). The method name can be overridden by passing the :finder parameter. 3. the resource model has a belongs_to (or one_to_many?) association that links it to its owner(s), the name of which is "owner". This can be overridden by providing an :owner parameter which points to an association_accessor method. The method can have the following other parameters: :only => actions : only actions should be protected :except => actions: all actions except actions should be protected Example ======= # let everybody modify the profile but only the owner should be able to delete it. class ProfilesController < ApplicationController only_owner :only => [:destroy] end The current_user yields the active user, the Profile model has an owner relation that references the owner of the profile and a find_profile method exists that fetches the profile. (or it will be created by the only_owner method) class ProfilesController < ApplicationController only_owner :current_user => :logged_in_user, :owner => :user end # use the get_profile method to get the profile to be protected in the action (when the filter runs). class ProfilesController < ApplicationController only_owner :finder => :get_profile end Copyright (c) 2009 [Balint Erdi (balint@bucionrails.com)], released under the MIT license
