I'm still a newb but I'll answer to the best of my ability.
Authorization is enforced using a before_filter set to certain
controller's and actions of your choice. The advantage over
acts_as_authenticated, that I see as a newb, is your getting rid of
the admin controller. Less code for the same function is always
better.
I’ve seen the RESTful Authentication plugin that Rick Olsen has, and
was wondering if anyone has used it, or can answer my questions:
What does RESTful Authentication really mean? How does CRUD fit
into this?
Create - Create new user
Read - What does it mean to ‘read’ a user?
Update - Change the user name, etc?
Destroy - Remove user account
Seems like you would have to have a session id anyways, otherwise how do you authorize?
The restful_authentication plugin adds a couple of things over acts_as_authenticated.
One is refactoring users and sessions to follow CRUD conventions. Your list above is about right. ‘Read’ isn’t enabled by default, but could be used, for example, to show a user’s profile page.
The other thing that it adds is support for HTTP authentication of web service requests, which is the most standard way to do authentication for RESTful APIs. That’s the real benefit of this plugin over acts_as_authenticated imho – the same code will now handle both your standard login page and your API.
How do sessions fit into CRUD? Is the session the object of the CRUD, as opposed to a user?
You can create/destroy sessions just as you would any other resource.
In restful_authentication for standard web pages (ie. not using the API) that will usually create a cookie which is used to store your session ID just like in acts_as_authenticated.