Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Plugin for writing allow/deny rules in controllers
Ruby
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
spec
.gitignore
MIT-LICENSE
README.rdoc
Rakefile
init.rb

README.rdoc

Access

Defining access to actions through calls to allow/deny

Example

# you can rewrite access_denied which by default redirects to '/'
access_denied

# allow/deny all actions if there are no other rules for action
allow_by_default
deny_by_default

# allow/deny all following actions
allow
deny

# now explanation of rules (examples for allow can be applied to deny)

# allow index and show
allow :index, :show

# allow all actions if admin? evaluates to true
allow :if => :admin?

# allow index and show if admin? evaluates to true
allow :index, :show, :if => :admin?

# allow index and show if admin? or user? (string evaluates in context of controller instance)
allow :index, :show, :if => 'admin? || user?'

# allow index and show if admin? or user? (proc evaluates in context of controller instance)
allow :index, :show, :if => proc{ admin? || user? }

# allow index and show if admin? or user?
allow :index, :show, :if_any => [:admin?, :user?]

# allow index and show if admin? and odd_day?
allow :index, :show, :if_all => [:admin?, :odd_day?]

# allow index and show unless bad_user? or robot?
allow :index, :show, :unless_any => [:bad_user?, :robot?]

# allow index and show unless bad_user? and was_here_today?
allow :index, :show, :unless_all => [:bad_user?, :was_here_today?]

# rules override each other (order of rules is important)
# index can be accessed by anyone except bad_user
# new can be accessed by admin or user with special key but not by bad_user or robot (ever if he has special key)
# all other actions are inaccessible
deny_by_default
allow :index
allow :new, :if_any => [:admin?, :has_special_key?]
deny :if => :bad_user?
deny :new, :if => :robot?

# example
class ApplicationController < ActionController::Base
  deny_by_default
end

class PostController < ApplicationController
  allow :index, :show, :new, :create
  allow :edit, :update, :if => :owner
  allow :destroy, :if => :admin?
  deny :new, :create, :if_any => [:bad_user, :wrote_post_for_last_5_minutes?]
  deny :edit, :update, :if => :bad_user

  def index
    ...
  end

  def show
    ...
  end

  def new
    ...
  end

  def edit
    ...
  end

  def create
    ...
  end

  def update
    ...
  end

  def destroy
    ...
  end
end
Something went wrong with that request. Please try again.