Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
= Role-based Authorization for MVC-based web applications in Ruby Authorization is a mixin that implements role-based authorization for MVC-based web applications in Ruby. It is meant to be an extremely simple implementation. == Features * Simple implementation of role-based authorization (~ 50 lines of code). * Uses a whitelist approach. Everything is unauthorized by default, you explicitly specify what is authorized. * Works with any authentication plugin (restful_authentication, authlogic, ...) * Works with any MVC-based Ruby web framework (I have used it with Rails and Merb) * Test suite using rspec == Motivation I've been using the role_requirement plugin in many Rails applications and it's an awesome plugin. However, while using it I found that a whitelist approach was an easier way for me to think about authorization: Using the Authorization mixin, everything is unauthorized by default, you explicitly specify which actions are authorized for each controller. class FooController < ApplicationController authorize :admin authorize :public, :except => [:edit, :update, :destroy] ... end The role_requirement plugin is also specially tailored to Rails and restful_authentication. There are other awesome frameworks and authentication plugins out there. However, if you need authorization for Rails and you already use restful_authentication, I recommend you to have a look at the role_requirement plugin, it can do a lot more for you (like generating your Role models with migrations). == Install Authorization is implemented as a single file (lib/authorization.rb), simply drop it into your lib/ folder or elsewhere. == Getting Started (for Rails as an example) 1. Include the Authorization mixin into your application controller. 2. Set a before filter that calls the ensure_authorization! method. The method will throw a Authorization::Unauthorized exception if the authorization fails. Using rescue_for you can handle the exception. 3. The ensure_authorization! method expects a current_user method that returns the currently logged in user. It also expects to get the requested action from params[:action]. You could change those defaults by overriding the ensure_authorization! method, it is a one-liner method. class ApplicationController include Authorization before_filter :ensure_authorization! rescue_for Authorization::Unauthorized, :with => :render_401 def current_user # Return logged in user. end ... end Authorization also expects the class of the object returned from current_user (the User class) to have a has_role? method that checks whether the current user has the given role. class User def has_role?(role) self.role == role end ... end class FooController < ApplicationController authorize :admin authorize :public, :only => [:show, :index] ... end == Examples Authorize the admin for all actions of the controller: class FooController < ApplicationController authorize :admin ... end You can authorize only specific actions: class FooController < ApplicationController authorize :manager, :only => [:index, :show] ... end You can authorize all actions except specified ones: class FooController < ApplicationController authorize :manager, :except => [:new, :create] ... end You can also specify multiple roles: class FooController < ApplicationController authorize [:admin, :manager] ... end You can authorize actions for all users including unauthenticated users (current_user returns nil): class FooController < ApplicationController authorize :public ... end You can combine authorization rules: class FooController < ApplicationController authorize :admin authorize :public, :except => [:new, :create, :edit, :update, :destroy] ... end == Acknowledgements Part of this mixin was inspired from the role_requirement plugin by Tim Charper: http://github.com/timcharper/role_requirement Copyright (c) 2009 Jean-Sebastien Boulanger <firstname.lastname@example.org>, released under the MIT license http://jsboulanger.com