Authorization on instances

I want to limit access to an instance of a model, so authorization based on an action wouldn't suffice. Is there any plugin with this kind of functionality or am I on my own? Any hints?

Just write the code in the model yourself. Here's some untested code:

class Book   belongs_to :user end

class User   has_many :books

  def find_book(book_id)     # Assumes we have a boolean 'admin' field     if admin?       Book.find book_id     else       books.find book_id     end end

Then in your code, you can just do current_user.find_book params[:id]

that kinda thing. Now the authorization is offloaded to the user model, and you don't even have to worry about authorization in your client code. Alternatively, you could do a can_read? sort of method:

def can_read?(book)   admin? || !books.find_by_id(book.id).nil? end

There's certainly a way to make the can_read? method more efficient, but you get the idea.

Those are two different approaches I would take, and it would depend on how I want to write my code. A lot of the times I prefer the first, because authorization is effective but transparent. A downside is that you don't know whether a user is unauthorized or if the book just doesn't exist...so if you want to treat those cases differently then you'll prefer the second approach.

Pat

Hi,

Going through ActiveRBAC manual right now, and I still can't find it. Can you point me to the section of the documentation that talks about this functionality?

Bill Katz has released what looks like a great plugin for this.

http://www.agilewebdevelopment.com/plugins/authorization

Damn, it seems Google eat my inspired post. It couldn't possibly be me, oh no. :slight_smile: Trying to recuperate now...

My first post might have been a bit misleading. I'm not what you might call a skilled programmer, possibly not even a clear thinker. What I actually meant when writing "limiting access" is to ask about authorization on all of CRUD operations.

Obviously I have to admit I'm struggling a bit with your example. Perhaps I should give my own. I'm trying to make some sort of a CMS for my school web site. Let's say I have a model Course. There are some models related to the Course, like Announcement, Report, etc. I have to ensure that only authorized personnel can create, update and delete content for a specific course, make an announcement related to that course etc. So, Maths related personnel would make changes only to that instance of the Course model (and the instances of related models). There is probably going to be about two dozens of authorized users, possibly more, divided into groups which are going to be used for authorization management. But, first things first. So far I've found

  http://wiki.rubyonrails.org/rails/pages/ACLController

and it looks promising. Only, I'm kind of cautious, since none of the plugins I've seen so far uses the same approach, they all deal with restricting access based on an action, not on URL. Are there any shortcomings I should be aware of regarding this article?

What I'm looking for is hopefully some of plugin with this functionality, but I'll settle with some article or tutorial about the issue. It couldn't possibly be a unique problem, so I'm thinking there must be some good reference on the mighty net. It doesn't even has to be strictly about RoR (see how desperate I am?) I've tried Googling, but perhaps not using the right keywords (not being native speaker doesn't help either). I'm quite willing (and eager) to do my share of hard work, just need a pointing finger (probably to the obvious). Thanks for the patience (and for even reading this far). :slight_smile:

Hi, I would recommend reading chapters 4 and 5 of the ‘ActiveRBAC Manual’.

Good luck,

-Conrad

Yes, this looks like something I should dwell on. Thanks everyone.