langalex / totally-restful-authorization fork watch download tarball
public
Description: This plugin adds an authorization layer to your rails app that is totally transparent to your restful controllers and a DSL for declaring permissions on your models.
Homepage: http://upstream-berlin.com/blog/open-source/#totally_restful_authorization
Clone URL: git://github.com/langalex/totally-restful-authorization.git 
fixed test
Alexander Lang (author)
Mon Jun 09 03:17:07 -0700 2008
commit  e7d8049db34cc1017d5dcc135abb490615e1b5b2
tree    ebd053678e5c23dc64af74bff8cca9e87bf64ea8
parent  ba100d40ba8eaa92701edae39e573ac5ffb21954
name age
history
message
file MIT-LICENSE Fri May 30 11:00:18 -0700 2008 first commit [Alexander Lang]
file README Mon Jun 09 03:09:04 -0700 2008 fixed plugin name in readme (whoops) [Alexander Lang]
file init.rb Mon Jun 09 03:15:00 -0700 2008 fixed rails 2.1 applications failed to run with... [Alexander Lang]
directory lib/ Tue Jun 03 04:10:04 -0700 2008 now passing the model itself and the user seeki... [Alexander Lang]
directory test/ Mon Jun 09 03:17:07 -0700 2008 fixed test [Alexander Lang]
README
totally restful authorization
==============================

This plugin adds an authorization layer to your rails app that is <del>completely</del> totally transparent to your 
restful controllers. all you have to is include a module in your controller and provide 4 methods in your model that 
control who is allowed to access it or not. the controllers will then automatically block or allow the usual crud 
actions (new, create, edit, update, show, destroy) to run or not.

How it works
============

Include the PermisionCheck Module in your restful controller...

class ApplicationController < ActionController::Base
  include PermissionCheck
end

... and then declare the permissions in your model:

class User
  updatable_by :admin # updatable if updater.admin? return true
  updatable_by :self, :except => [:admin] # special role self, allow all attributes except some to be updated
  updatable_by :newbie, :only => [:description] # only allow some attribute to be updated
  
  viewable_by :anyone # special role, includes nil
  viewable_by :developer, :condition => lambda{|user, viewer| user.non_developer? && viewer.account_activated?} # use 
  conditions for more complex permissions
  
  destroyable_by [:admin, :root] # declare multiple roles at once
end

Or implement one or more of these four methods directly:

class User
  def updatable_by?(user, field = nil)
    true
  end
  
  def creatable_by?(user, field = nil)
    true
  end
  
  def destroyable_by?(user)
    true
  end
  
  def  viewable_by?(user)
    true
  end
end

The fields parameter is either nil to determine if an object can be updated at all or a symbol of a field name. The user 
parameter is taken from the current_user in your controller (so you have to provide a current_user method, or install 
restful_authentication or something like that).

From now on your controller will run a before filter before the new/create/edit/update/destroy/show actions to make sure 
that the current_user is allowed to update/create/destroy/view the model. If you don't declare any permissions no 
actions can be performed on your model.

=================================================================

For questions, patches etc. contact alex[at]upstream-berlin.com

Copyright (c) 2008 Alexander Lang, released under the MIT license