Controller filter parameters

Today I was writing an authentication filter to my controllers that needed some parameters. That is what I did:

def self.verify_permission(permission, options={})
   before_filter {|controller| controller.verify_permission(permission, options)}
end
def verify_permission(permission, options)
   # actual authentication code goes here
end

And check the permissions with, say:

verify_permission :manage_simulation, :simulation => 1 #just ficticious

Is it possible to do it with Rails directly with some syntax like the below?

before_filter :verify_permission, :parameters => [:manage_simulation, {:simulation => 1}], :except => [:login]

If not, it is not complicated to implement, so is there any reasons why this would be a bad idea?

Thanks in advance,

Rodrigo.

I assume you're looking for a good way to implement authorization
rules, in which case you might want to take a look at the following
plugin: http://github.com/Fingertips/authorization-san
And checkout this rails template for more examples on how to use it: http://github.com/Fingertips/rails-template

HTH,
Eloy

Hi Eloy, thank you for your suggestion, but I don't think it would satisfy my needs...

In my case, a user has a role that can be attached to some conditions. For instance, the user 'manager' has a role 'institution_admin' only for institution 'manager_institution'...

But anyway, that was just an example. I was really curious about filters supporting parameters directly.

Best regards,

Rodrigo.

Hey Rodrigo,

Hi Eloy, thank you for your suggestion, but I don't think it would
satisfy my needs...

In my case, a user has a role that can be attached to some conditions.
For instance, the user 'manager' has a role 'institution_admin' only for
institution 'manager_institution'...

I don't completely follow the explanation of the example, but that would probably be easy with authorization-san. It already supports the idea of 'role' on an object.
In all the projects we have used it, we haven't found one scenario that we couldn't solve.

class InstitutionsController < ActionController::Base
   allow_access :institution_admin do
     # perform any checks and return truthy or falsy value
   end
end

But anyway, that was just an example. I was really curious about filters
supporting parameters directly.

I'm not sure there is any reason to, since like I said we have been able to solve all situations we've come across.

Besides that, I'm not sure that I find the examples you gave of how it would look like to be readable/understandable. Maybe it's the example, maybe it's me…

Cheers,
Eloy

I still can't figure out how would be the complete use case with authorization-san.

Let me put the examples in more detail. In my project, users have roles, which have permissions, as usual.

But some roles are attached to some condition. In a role 'institution_admin', a user should be attached to some specific existent institution.

But if a user belongs to 'system_admin' role, for instance, it shouldn't be attached to any conditions.

I have in User:

has_many :roles, :through => :assignments

And in Assignment, there is 'user_id', 'role_id' and an integer 'condition' that could be null. The roles are fixed and I check that condition is filled in correctly depending on the role.

There is a hash that maps the expected condition class to each role.

If you think I could do the same with authorization-san, I would be glad to see a more in-depth example.

Thank you,

Rodrigo.

Hi Rodrigo,

Here is an example of what you probably want:

  class User
    has_many :roles

    def institution_admin?
      roles.any? { |r| r.label == 'institution_admin' }
    end

    def system_admin?
      roles.any? { |r| r.label == 'system_admin' }
    end
  end

  class InstitutionController < ApplicationController
    allow_accesss(:system_admin)
    allow_accesss(:institution_admin) do
      @authenticated.institution == @institution
    end

    prepend_before_filter :find_institution

    private

    def find_institution
      @institution = Institution.find(params[:id])
    end
  end

Can you restart this discussion on the Rails Talk list and CC Eloy and
me? This list is meant for discussing Rails core development.

Thanks,
Manfred

Hi Rodrigo,

The boolean accessors on the User model could probably be refactored,
but you get the idea.

class User < ActiveRecord::Base
   has_many :roles

   def institution_admin?
     roles.any? { |r| r.label == 'institution_admin' }
   end

   def system_admin?
     roles.any? { |r| r.label == 'system_admin' }
   end
end

class InstitutionController
   allow_accesss(:system_admin)
   allow_accesss(:institution_admin) do
     @authenticated.institution == @institution
   end

   prepend_before_filter :find_institution

   private

   def find_institution
     @institution = Institution.find(params[:id])
   end
end

Can we continue this discussion on Ruby on Rails: Talk? This list is
meant for discussions about Ruby on Rails core development.

Manfred