[Wanted] A gem that handles authentication AND authorization for me

Hi All!

I am searching for a gem that handles authentication and authorization
at the same time for me.

I tried several combinations of different authentication and
authorization gems, but even if the combinations worked, I dont get
comfortable with them. I dislike the fact to configure so many things
in so many places...

Therefore I am searching for a gem that handles both for me and is
easy to configure.

It should work with rails 3.1 and have configurable roles. +1 if I can
add own roles. +2 if I can assign the roles per object and dont have
to assign them system wide...

To clarify the +2:
Lets say I have a forum and a blog with the same user base. I have the
admin role in both places and may do everything everywhere.
A normal user without special rights is allowed to read and comment in
the blog and to write in the forum.
The user "klaus" is an author for blogposts but has no special rights
in the forum, so there he is a normal user.
On the other Hand there is "alfred" who is allowed to moderate the
forum but not allowed to do anything more than comments and reading in
the blog.
There could be a third user that is allowed to write articles in the
blog and moderate the forum...
With the authorization gems I found and tried so far I had to define
systemwide roles that had to implement different behaviour for the
subsystems, so I had the following roles in this simple scenario:
owner -> Overall side admin
blog_author_and_forum_mod -> Is allowed to use full blog and moderate
in the forum
only_blog_author -> Is allowed to use the blog but is a simple user in the forum
only_forum_mod -> Is allowed to moderate the forum, but is not allowed
to create his own blogsposts
user -> standarduser as described above
guest -> Read-Only, is not allowed to comment or write in the forum.

If there are other subsystems added or hidden forums this will get
much more complicated...


I personally use devise for authentication. With some simple code you
can roll your own authorization system.

You can use in your user table:
t.boolean :admin, :default => false

In your application controller:

helper_method :require_admin

  def admin_user
    if current_user && current_user.admin == true

  def require_admin
   unless current_user && current_user.admin

  def access_denied
   redirect_to root_url
   flash[:notice] = "Cannot access that page!"

Then use require_admin as a before filter in your controllers.

Yeah, cool...
t.boolean :forum_mod, :default => false
t.boolean :blog_poster, :default => false
t.boolean :may_see_hidden_forum_number1, :default => false
t.boolean :and_so_on, :default => false

This is what I not wanted to do...

Additionally I think that the controller should not more about the
user as what is absolutely necessary. As I understand the hole
mechanisms, authorization should be part of the model, or at least of
another subsystem...

If it would be possible I would even let the the database handle the
users and create a single databaseuser for every user of my page and
handle his permissions to the tables by the database as approach for
authorization AND authentication at the same time, but I cant do this
because 1) I dont know how to do this in rails and 2) my hoster does
not allow more than one dbuser for free...

With this argumentation cancan + any authentication system is more
what I want then your approach. But I prefer to have authentication
and authorization in one single system.

For some reason everyone seems to always go for right Devise (like a
moth to a flame). Nothing wrong with that, but I've always found
OmniAuth to be far more superior: https://github.com/intridea/omniauth

Depending on who your provider is and what they're using for
authentication/authorization, it's quite easy to accomplish both
simultaneously in one flow. Google uses a hybrid OpenID approach
mixing in oauth authentication as part of the login flow and Facebook
does the same with connect.

OmniAuth is easy to use and well supported by the talented crew over
at Intridea. I've used it personally many times for Google, Facebook,
Twitter, and Vimeo, but it supports many more providers. If the
provider you're looking for isn't there, it's quite easy to add an
extension for them.

I personally use Devise + CanTango (a roles layer on top of CanCan, an authorization provider) and it’s really really easy to set it up and get going. You should really try the combo out.

Declarative Authorization is one more choice. For authentication, you would need user object in Crontroller#current_user and should user model need to respond to role_symbols. you can find more details on here



Correct. Any time you have a _number1 and_so_on, that's a smell that
indicates a need to break out the association into a separate class
(or at least table).

In this case, maybe something like having a set of user roles, whereby
a given forum may require one or more (or perhaps *any of* several?)
roles in order to administer it, or see it, or whatever, and users
have zero or more roles.

For instance, let's say your project is a gathering place with forums
for assorted aspects of various religions. (For instance, you may
have Hebrew Lessons and Daily Torah Reading for the Jews; Arabic
Lessons and Daily Quran Reading for the Muslims; Talking with your
Mouth Full and Daily Sauce Recipe for the Pastafarians; and so on.)
To prevent holy flame wars, you don't want the members each of them to
even see the existence of the other religions' forums. Each forum
could have an optional role required in order to see it, and each user
could have zero or more roles. (More than one, in case you trust
someone to see the forums of multiple religions.) Or, you could have
multiple roles per forum, which raises the question of whether you
want to require *any* of them, *all* of them, or something more