langalex / totally-restful-authorization
watch download tarball
public
Forks4Right
Watchers37Right
Description: This plugin adds an authorization layer to your rails app that is totally transparent to your restful controllers and a DSL for declaring permissions on your models.
Homepage: http://upstream-berlin.com/blog/open-source/#totally_restful_authorization
Clone URL: git://github.com/langalex/totally-restful-authorization.git 
updated gemspec
langalex (author)
Wed Jun 17 07:39:11 -0700 2009
commit  1880dad9e558f4de030df619aff8041e33681660
tree    0a1e89d5f219e8070ba471f4cb805ceb9cb8679f
parent  aab022be212ad6994e15f94129ef7dedd42fcb9c
100644 60 lines (39 sloc) 2.323 kb
raw blame history 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

totally restful authorization
==============================
 
This plugin adds an authorization layer to your rails app that is <del>completely</del> totally transparent to your restful controllers. all you have to is include a module in your controller and provide 4 methods in your model that control who is allowed to access it or not. the controllers will then automatically block or allow the usual crud actions (new, create, edit, update, show, destroy) to run or not.
 
How it works
============
 
Call _check_authorization_ in your restful controller...
 
class ApplicationController < ActionController::Base
  check_authorization
end
 
... and then declare the permissions in your model:
 
class User
	updatable_by :admin # updatable if updater.admin? return true
	updatable_by :admin, :only => [:description] # only allow some attribute to be updated
	updatable_by :self # special role self, allows the object to update itself
	updatable_by :associated => :friend # allow user.friend to update the object
 
	viewable_by :anyone # special role, includes nil
	viewable_by :admin, :condition => lambda{|user, viewer| user.non_admin? && viewer.account_activated?} # use conditions for more complex permissions
 
 
 
	destroyable_by [:admin, :root] # declare multiple roles at once
end
 
Or implement one or more of these four methods directly:
 
class User
  def updatable_by?(user, field = nil)
    true
  end
  
  def creatable_by?(user, field = nil)
    true
  end
  
  def destroyable_by?(user)
    true
  end
  
  def	viewable_by?(user)
    true
  end
end
 
The fields parameter is either nil to determine if an object can be updated at all or a symbol of a field name. The user parameter is taken from the current_user in your controller (so you have to provide a current_user method, or install restful_authentication or something like that).
 
From now on your controller will run a before filter before the new/create/edit/update/destroy/show actions to make sure that the current_user is allowed to update/create/destroy/view the model. If you don't declare any permissions no actions can be performed on your model.
 
=================================================================
 
For questions, patches etc. contact alex[at]upstream-berlin.com
 
Copyright (c) 2008 Alexander Lang, released under the MIT license