[Wanted] A gem that handles authentication AND authorization for me

Hi All!

I am searching for a gem that handles authentication and authorization at the same time for me.

I tried several combinations of different authentication and authorization gems, but even if the combinations worked, I dont get comfortable with them. I dislike the fact to configure so many things in so many places...

Therefore I am searching for a gem that handles both for me and is easy to configure.

It should work with rails 3.1 and have configurable roles. +1 if I can add own roles. +2 if I can assign the roles per object and dont have to assign them system wide...

To clarify the +2: Lets say I have a forum and a blog with the same user base. I have the admin role in both places and may do everything everywhere. A normal user without special rights is allowed to read and comment in the blog and to write in the forum. The user "klaus" is an author for blogposts but has no special rights in the forum, so there he is a normal user. On the other Hand there is "alfred" who is allowed to moderate the forum but not allowed to do anything more than comments and reading in the blog. There could be a third user that is allowed to write articles in the blog and moderate the forum... With the authorization gems I found and tried so far I had to define systemwide roles that had to implement different behaviour for the subsystems, so I had the following roles in this simple scenario: owner -> Overall side admin blog_author_and_forum_mod -> Is allowed to use full blog and moderate in the forum only_blog_author -> Is allowed to use the blog but is a simple user in the forum only_forum_mod -> Is allowed to moderate the forum, but is not allowed to create his own blogsposts user -> standarduser as described above guest -> Read-Only, is not allowed to comment or write in the forum.

If there are other subsystems added or hidden forums this will get much more complicated...

TIA Norbert

I personally use devise for authentication. With some simple code you can roll your own authorization system.

You can use in your user table: t.boolean :admin, :default => false

In your application controller:

helper_method :require_admin

  def admin_user     if current_user && current_user.admin == true    end   end

  def require_admin    unless current_user && current_user.admin    access_denied    end   end

  def access_denied    redirect_to root_url    flash[:notice] = "Cannot access that page!"   end

Then use require_admin as a before filter in your controllers.

Yeah, cool... t.boolean :forum_mod, :default => false t.boolean :blog_poster, :default => false t.boolean :may_see_hidden_forum_number1, :default => false t.boolean :and_so_on, :default => false

This is what I not wanted to do...

Additionally I think that the controller should not more about the user as what is absolutely necessary. As I understand the hole mechanisms, authorization should be part of the model, or at least of another subsystem...

If it would be possible I would even let the the database handle the users and create a single databaseuser for every user of my page and handle his permissions to the tables by the database as approach for authorization AND authentication at the same time, but I cant do this because 1) I dont know how to do this in rails and 2) my hoster does not allow more than one dbuser for free...

With this argumentation cancan + any authentication system is more what I want then your approach. But I prefer to have authentication and authorization in one single system.

For some reason everyone seems to always go for right Devise (like a moth to a flame). Nothing wrong with that, but I've always found OmniAuth to be far more superior: https://github.com/intridea/omniauth

Depending on who your provider is and what they're using for authentication/authorization, it's quite easy to accomplish both simultaneously in one flow. Google uses a hybrid OpenID approach mixing in oauth authentication as part of the login flow and Facebook does the same with connect.

OmniAuth is easy to use and well supported by the talented crew over at Intridea. I've used it personally many times for Google, Facebook, Twitter, and Vimeo, but it supports many more providers. If the provider you're looking for isn't there, it's quite easy to add an extension for them.

I personally use Devise + CanTango (a roles layer on top of CanCan, an authorization provider) and it’s really really easy to set it up and get going. You should really try the combo out.

Declarative Authorization is one more choice. For authentication, you would need user object in Crontroller#current_user and should user model need to respond to role_symbols. you can find more details on here

Thanks,

Harun

Correct. Any time you have a _number1 and_so_on, that's a smell that indicates a need to break out the association into a separate class (or at least table).

In this case, maybe something like having a set of user roles, whereby a given forum may require one or more (or perhaps *any of* several?) roles in order to administer it, or see it, or whatever, and users have zero or more roles.

For instance, let's say your project is a gathering place with forums for assorted aspects of various religions. (For instance, you may have Hebrew Lessons and Daily Torah Reading for the Jews; Arabic Lessons and Daily Quran Reading for the Muslims; Talking with your Mouth Full and Daily Sauce Recipe for the Pastafarians; and so on.) To prevent holy flame wars, you don't want the members each of them to even see the existence of the other religions' forums. Each forum could have an optional role required in order to see it, and each user could have zero or more roles. (More than one, in case you trust someone to see the forums of multiple religions.) Or, you could have multiple roles per forum, which raises the question of whether you want to require *any* of them, *all* of them, or something more complex.

-Dave