mrchucho / easy-access

Easy access control and roles for CRUD operations.

easy-access / README
100644 92 lines (65 sloc) 2.7 kb
raw blame history 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

Easy Access
===========
 
Easy access control and roles for CRUD operations.
 
Easy Access provides a mixin for your User model that adds a simple role-based
access control system for the standard CRUD operations. A default access control
routine is supplied, but it can be overridden on a model-by-model basis allowing
for very fine-grained control.
 
Every CRUD operation has a corresponding User method and model hook. Implement
the model hooks(e.g. can_be_viewed_by?, can_be_edited_by?, etc.) and/or the
default AccessSystem::has_privilege_for? to customize your specific access
controls.
 
 
Installation
============
 
./script/plugin install http://github.com/mrchucho/easy-access.git
 
./script/generate easy_access Role
 
 
Example
=======
 
The can_(create|view|update|destroy)? methods can safely be used in any Controller:
 
    class RestrictedModelController < ApplicationController
 
        def create
            @model = RestrictedModel.build(params[:model])
            raise PermissionDenied unless current_user.can_create?(@model)
            @model.save!
            redirect_to restricted_model_path(@model)
        end
 
        def show
            raise PermissionDenied unless current_user.can_view?(@model)
        end
 
        def update
            @model = RestrictedModel.find(params[:id])
            raise PermissionDenied unless current_user.can_update?(@model)
            @model.save!
            redirect_to restricted_model_path(@model)
        end
 
        def destroy
            @model = RestrictedModel.find(params[:id])
            raise PermissionDenied unless current_user.can_destroy?(@model)
            @model.destroy
            redirect_to restricted_models_path
        end
 
 
By default AccessSystem::has_privilege_for? provides coarse-grained access
controls. To implement fine-grained access control for a specific model:
 
    class RestrictedModel < ActiveRecord::Base
        # ...
        def can_be_viewed_by?(user)
            user == self.user
        end
 
        def can_be_updated_by?(user)
            if self.state == :closed
                false
            else
                user == self.user
            end
        end
 
        def can_be_destroyed_by?(user)
            user.roles.any?{|r| r.name.eql?("Destroyer")}
        end
 
 
    class ReadOnlyModel < ActiveRecord::Base
        def can_be_viewed_by?(user); true; end
        def can_be_destroyed_by?(user); false; end
        def can_be_created_by?(user); false; end
        def can_be_updated_by?(user); false; end
 
 
Note that you only need to override those hooks for which more specific
controls are required.
 
 
Copyright (c) 2008 Ralph M Churchill, released under the MIT license