Permalink
Browse files

Added comments to clarify the use of declarative_authorization as sug…

…gested by Mark Mansour
  • Loading branch information...
1 parent a3f0883 commit dcf65f91c4a175f1858c6fc3218d4142edb4927d @stffn committed Nov 12, 2008
@@ -17,14 +17,27 @@ class ApplicationController < ActionController::Base
include AuthenticatedSystem
layout "layout"
- before_filter :set_current_user
-
hide_action :breadcrumb
def breadcrumbs
[]
end
+ # Start of declaration_authorization-related code
+ before_filter :set_current_user
+
+ # One way of using declarative_authorization is to restrict access
+ # to controller actions by default by stating the following line.
+ # This installs a default before_filter for authorization according
+ # to the action names.
+ #filter_access_to :all
+
protected
+ # There are multiple ways of handling authorization failures.
+ # One is to implement a permission denied method as shown below.
+ # If none is defined, either a simple string is displayed
+ # to the user ("You are not allowed...", default) or the authorization
+ # exception is raised. TODO state configuration option
+ #
#def permission_denied
# respond_to do |format|
# flash[:error] = 'Sorry, you are not allowed to view the requested page.'
@@ -34,6 +47,9 @@ def breadcrumbs
# end
#end
+ # set_current_user sets the global current user for this request. This
+ # is used by model security that does not have access to the
+ # controller#current_user method. It is called as a before_filter.
def set_current_user
Authorization.current_user = current_user
end
@@ -1,4 +1,6 @@
class ConferenceAttendeesController < ApplicationController
+ # See ConferenceController for comments on the most common use of
+ # filter_access_to
filter_access_to :all
filter_access_to :destroy, :attribute_check => true
@@ -12,6 +14,11 @@ def index
end
end
+ # In the case of create, declarative_authorization cannot load an
+ # object from the params hash by default. The object is needed to
+ # check the authorization rules defined in the configuration.
+ # Instead, an new Attendee object is created with the known parameters
+ # and checked for in a block given to filter_access_to.
filter_access_to :create do
@conference = Conference.find(params[:conference_id])
@attendee = ConferenceAttendee.new(:conference => @conference,
@@ -1,7 +1,12 @@
class ConferencesController < ApplicationController
+ # Installs a before_filter to check accesses on all actions for the user's
+ # authorization.
filter_access_to :all
- filter_access_to :show, :edit, :update,
- :destroy, :attribute_check => true
+ # Overrides the default checks by explicitly using attribute checks
+ # against the parameters. This causes the declarative_authorization
+ # plugin to load a Conference object from params[:id] into
+ # the @conference instance variable.
+ filter_access_to :show, :edit, :update, :destroy, :attribute_check => true
# GET /conferences
# GET /conferences.xml
@@ -1,5 +1,7 @@
# This controller handles the login/logout function of the site.
class SessionsController < ApplicationController
+ # This controller has no filter_access_to statements, as everyone
+ # may try to login or logout.
# render new.rhtml
def new
@@ -1,4 +1,6 @@
class TalkAttendeesController < ApplicationController
+ # See ConferenceController for comments on the most common use of
+ # filter_access_to
filter_access_to :all
filter_access_to :destroy, :attribute_check => true
@@ -12,6 +14,8 @@ def index
end
end
+ # See ConferenceAttendeesController for comments on the use of
+ # filter_access_to with custom permission checks.
filter_access_to :create do
@talk = Talk.find(params[:talk_id])
@attendee = TalkAttendee.new(:talk => @talk,
@@ -1,4 +1,6 @@
class TalksController < ApplicationController
+ # See ConferenceController for comments on the most common use of
+ # filter_access_to
filter_access_to :all
filter_access_to :show, :update, :destroy, :attribute_check => true
@@ -1,4 +1,6 @@
class UsersController < ApplicationController
+ # See ConferenceController for comments on the most common use of
+ # filter_access_to
filter_access_to :all
filter_access_to :edit, :update, :attribute_check => true
View
@@ -25,12 +25,6 @@ class User < ActiveRecord::Base
# anything else you want your user to change should be added here.
attr_accessible :login, :email, :name, :password, :password_confirmation, :roles
- serialize :roles, Array
-
- has_many :talk_attendees
- has_many :conference_attendees
-
-
# Authenticates a user by their login name and unencrypted password. Returns the user or nil.
#
# uff. this is really an authorization, not authentication routine.
@@ -41,9 +35,24 @@ def self.authenticate(login, password)
u = find_by_login(login) # need to get the salt
u && u.authenticated?(password) ? u : nil
end
+
+ # Start of code needed for the declarative_authorization plugin
+ #
+ # Roles are stored in a serialized field of the User model.
+ # For many applications a separate UserRole model might be a
+ # better choice.
+ serialize :roles, Array
+
+ # The necessary method for the plugin to find out about the role symbols
+ # Roles returns e.g. [:admin]
def roles
r = (super || []).map {|r| r.to_sym}
end
+ # End of declarative_authorization code
+
+ # Application-specific code
+ has_many :talk_attendees
+ has_many :conference_attendees
end
@@ -11,9 +11,11 @@
<body style="margin:0; padding: 0;">
<div id="topnav" class="<%= logged_in? and current_user.roles.map(&:to_s) * " " %>">
+ <%# link_to ... if permitted_to? ... is used to only show the links if the
+ current user has the stated privileges. %>
<%= link_to "Conferences", conferences_path if permitted_to? :read, :conferences %>
<%= link_to "Users", users_path if permitted_to? :read, :users %>
- <%= link_to "Authorization Rules", :controller => 'authorization_rules' if permitted_to? :read, :authorization_rules %> |
+ <%#= link_to "Authorization Rules", :controller => 'authorization_rules' if permitted_to? :read, :authorization_rules %> |
<% if logged_in? %>
Logged in as <b><%= h current_user.login %> (<%= current_user.roles * ',' %>)</b>.
<%= link_to "Logout", '/logout' %>

0 comments on commit dcf65f9

Please sign in to comment.