This repository is private.
All pages are served over SSL and all pushing and pulling is done over SSH.
No one may fork, clone, or view it unless they are added as a member.
Every repository with this icon (
) is private.
Every repository with this icon (
) is private.
This repository is public.
Anyone may fork, clone, or view it.
Every repository with this icon () is public.
Every repository with this icon (
) is public.
commit aab022be212ad6994e15f94129ef7dedd42fcb9c
tree 4e0b4084c604b743b8c04f3120a4764e9a85b9d3
parent 58766e33cd2fd4c4da13b94737cf4dd520e2b017
tree 4e0b4084c604b743b8c04f3120a4764e9a85b9d3
parent 58766e33cd2fd4c4da13b94737cf4dd520e2b017
| name | age | message | |
|---|---|---|---|
 |
LICENSE | Fri Jun 12 07:53:22 -0700 2009 | |
| |
README | Loading commit data...  |
|
| |
Rakefile | Fri Jun 12 07:53:22 -0700 2009 | |
| |
VERSION | ||
 |
lib/ | ||
| |
rails/ | Fri Jun 12 08:31:01 -0700 2009 | |
| |
test/ | ||
| |
totally-restful-authorization.gemspec |
README
totally restful authorization
==============================
This plugin adds an authorization layer to your rails app that is <del>completely</del> totally transparent to your
restful controllers. all you have to is include a module in your controller and provide 4 methods in your model that
control who is allowed to access it or not. the controllers will then automatically block or allow the usual crud
actions (new, create, edit, update, show, destroy) to run or not.
How it works
============
Call _check_authorization_ in your restful controller...
class ApplicationController < ActionController::Base
check_authorization
end
... and then declare the permissions in your model:
class User
updatable_by :admin # updatable if updater.admin? return true
updatable_by :admin, :only => [:description] # only allow some attribute to be updated
updatable_by :self # special role self, allows the object to update itself
updatable_by :associated => :friend # allow user.friend to update the object
viewable_by :anyone # special role, includes nil
viewable_by :admin, :condition => lambda{|user, viewer| user.non_admin? && viewer.account_activated?} # use conditions
for more complex permissions
destroyable_by [:admin, :root] # declare multiple roles at once
end
Or implement one or more of these four methods directly:
class User
def updatable_by?(user, field = nil)
true
end
def creatable_by?(user, field = nil)
true
end
def destroyable_by?(user)
true
end
def viewable_by?(user)
true
end
end
The fields parameter is either nil to determine if an object can be updated at all or a symbol of a field name. The user
parameter is taken from the current_user in your controller (so you have to provide a current_user method, or install
restful_authentication or something like that).
From now on your controller will run a before filter before the new/create/edit/update/destroy/show actions to make sure
that the current_user is allowed to update/create/destroy/view the model. If you don't declare any permissions no
actions can be performed on your model.
=================================================================
For questions, patches etc. contact alex[at]upstream-berlin.com
Copyright (c) 2008 Alexander Lang, released under the MIT license
