I'm pleased to announce the official release of "GateKeeper".
GateKeeper is a Rails plugin that provides easy to use methods to declare access permissions to instances of ActiveRecord classes at the model level. Permissions may be based on either a user's roles (such as Admin, Moderator, etc) or on associations with other models.
In most simple and straight forward Rails projects, scoping your finds through has_many associations is probably sufficient for ensuring that users can't get at data they aren't supposed to. For example, a show action might simply call "@note = User.current.notes.find(params[:id])" to ensure that the current user owns the note they're trying to read, or it won't even find it.
However, things quickly get more difficult when users need limited access to other user's objects based on different roles (such as Admin, Moderator, Premium Subscriber, Employee of the Month, etc), or based on their relationship with the object's owner (such as Owner, Supervisor of the Owner, etc). You might want to allow variety of people to read certain objects based on a variety of different roles and relationships, and only allow a subset of those people to update or destroy the same objects.
GateKeeper makes this absurdly easy to setup and maintain by allowing you to simply make declarations right in your model like...
createable_by_my_author crudable_by_admin readable_by_premium_member :if => :published? updateable_by_boss_of_my_author :unless => lambda {|article| article.draft_number < 3 } readable_as_my_parent
If a user on your site tries to perform an action on an instance of any ActiveRecord model, and permission to perform that action hasn't been explicitly granted to that user via a declaration like the samples above, then the action is canceled and an error is raised.
GateKeeper also provides an option to do permission scoping on finds, automatically removing records from arrays returned by ActiveRecord finders that the current user doesn't have permission to read. This is disabled by default and a permission error is raised if a finder returns an object the user doesn't have permisison to read.
More Info Here: http://5valleys.com/posts/show/34 Online Documentation/Installation Instructions Here: http://gatekeeper.rubyforge.org/
Feedback and Questions strongly encouraged.