Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 109 lines (76 sloc) 4.016 kB
6d4748c @mkristian added docu
authored
1 # ixtlan guard #
2
2dd7061 @mkristian added ci links [skip ci]
authored
3 * [![Build Status](https://secure.travis-ci.org/mkristian/ixtlan-guard.png)](http://travis-ci.org/mkristian/ixtlan-guard)
4 * [![Dependency Status](https://gemnasium.com/mkristian/ixtlan-guard.png)](https://gemnasium.com/mkristian/ixtlan-guard)
5 * [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/mkristian/ixtlan-guard)
6
6d4748c @mkristian added docu
authored
7 it is an simple authorization framework for restful rails especially using rails as API server.
8
9 the idea is simple:
10
11 * each user belongs to set of groups
12 * each controller/action pair permits a set of groups to execute it
13 * the guard class checks if the user has any group which is allowed by the controller/action pair
14
15 ## current\_user\_groups method ##
16
17 this is similar to the **current_user** method common on authentication. the **current_user_groups** method is an array of object which responds to __:name__. call these objects groups which have name. the name is used in the permission config of the controller.
18
19 having something like PosixAccounts and PosixGroups (as know from ldap) would lead to an implementation like (which is the default when there is no such method)
20
21 def current_user_groups
22 current_user.groups
23 end
24
25 ## config for a controller
26
27 this is a yaml file in **RAILS_ROOT/app/guards/my\_users\_guard.yml**. for example
28
29 my_users:
30 index:
31 - root
32 - user-admin
33 - app-admin
34 show: [root,app-admin,guest]
35 new: [root]
36 create: [root]
37 edit: [root,app-admin]
38 update: [root,app-admin]
39 destroy: [root]
40
41 with the special action **defaults** this can be reduced to
42
43 my_users:
44 defaults: [root]
45 index:
46 - root
47 - user-admin
48 - app-admin
49 show: [root,app-admin,guest]
50 edit: [root,app-admin]
51 update: [root,app-admin]
52
53 and since **root** is handle by the guard anyways it can be further reduced to
54
55 my_users:
56 defaults: []
57 index:
58 - user-admin
59 - app-admin
60 show: [app-admin,guest]
61 edit: [app-admin]
62 update: [app-admin]
63
64 ## rails helper methods
65
66 ### authorize method of controller
67
68 the authorize method asked the Guard if a certain action on a controller is allowed by the current_user, if not the method raises an Error. this method is registered as before-filter on the application-contrller. so **skip-before-filter :authorize** will disable the guard.
69
70 ### allowed? method of controller
71
72 the call `allowed?(:destroy)` will give the permissions for the given action on the current controller.
73
74 ### allowed? method of views
75
76 it takes two arguments since the controller name (or resource name) is needed as well. the call `allowed?(:users, :destroy)` will give the permissions for the given action controller pair.
77
78 ### getting the Guard instance
79
80 to get an instance of the **Guard** on the controller itself just call `guard`. otherwise `Rails.application.config.guard` will give you such an instance.
81
82 # more advanced
83
84 sometimes you want to bind resource to a user/group pair, i.e. given an organizations which have report-writers and report-readers. example as rails before-filter:
85
13be698 @mkristian * added Gemfile to get frozen versions
authored
86 skip_before-filter :authorize
87 guard_filter :authorize_organization_reader, :only => [:show]
88 guard_filter :authorize_organization_writer, :only => [:edit, :update]
89
90 def authorize_organization_writer(groups)
91 groups.select { |g| g.writer?(current_user) }
6d4748c @mkristian added docu
authored
92 end
93
94 def authorize_organization_reader
13be698 @mkristian * added Gemfile to get frozen versions
authored
95 groups.select { |g| g.writer?(current_user) || org.writer?(current_user)|}
6d4748c @mkristian added docu
authored
96 end
97
98 of course you can organize such relations also like that
99
13be698 @mkristian * added Gemfile to get frozen versions
authored
100 skip_before_filter :authorize
101 guard_filter :authorize_organization
6d4748c @mkristian added docu
authored
102
13be698 @mkristian * added Gemfile to get frozen versions
authored
103 def authorize_organization(groups)
104 gou = GroupsOrganizationsUser.where(:org_id => params(:org_id),
105 :user_id => current_user.id)
106 ids = gou.collect { |i| i.group_id }
107 groups.select { |g| ids.include?(g.id) }
6d4748c @mkristian added docu
authored
108 end
Something went wrong with that request. Please try again.