All geek questions in one place

2 roles, administrator and user. Does it use anything other than basic HTTP overhill?

I am creating my first website with rails, it consists of a blog, several static pages and a photo gallery. In the administration section there are controllers with names. I also want to create a mailing list, collecting contact information, (maybe in the future there will also be a store.)

Should I just use basic HTTP authentication and check if the user is an administrator? Or a plugin like authlogic is better, then define user roles, although there will be only two; admin and user?

+4
source share
6 answers

In fact, this is just a matter of opinion, and you will need to do what suits you.

Basically, you just need to determine what you need for your authentication (login, etc.) and your authorization (what the user can do).

I personally am a big fan of authentication for authentication, and Ryan from the cancan cancan authorization library:

http://github.com/ryanb/cancan

But then again, it really is up to you, and if you use git, you can fork the application and try both.: D

Hurrah!

0
source

Can you do this. Authlogic or Devise did it for you.

0
source

Remember that you will need to use HTTPS to encrypt the username / password when passing through the wire.

Perhaps this is not a problem, but something to be aware of.

0
source

Use rpxnow.com . Integration with them once, and this will allow users of Google, Yahoo, Microsoft, Facebook, etc. Visit your site.

The process is quite simple:

  • Attach your javascript code to your login page.
  • Write the controller that RPXnow calls with the token for the authentication callback. This procedure parses the token and makes a secure web call to rpxnow.com to retrieve user data. Take the email address, which is then genuine.
  • Since you now have a genuine email address, the user may be granted access to the inside of your site.

If you use RPX for authentication, you do not need to write the "forgot password" function or the "register" function with an email confirmation. The identity provider does this.

Stackoverflow.com uses a similar authentication scheme.

(This is based on the assumption that 99% of Internet users have one of Google, Yahoo, Hotmail / Live or Facebook).

0
source

To answer your comment on dustmoo: if adding authorization rules to your application "makes presentations messy," then you are not using authorization correctly. What is declarative.

declarative_authorization will allow you to "separate" authorization issues from your application.

There's also a cancan , which is a little easier to set up but has less functionality (you lose Model.with_permissions_to ).

0
source

I will also vote for authlogic + cancan.

The tutorial from Ryan is simple enough to follow, which takes several hours to set it all up (even for beginners).

If you try to create your own authentication model (and I assume that you donโ€™t have much experience), the time spent re-doing everything (again and again) justifies the time spent learning from the professionals.

my 0.02

0
source

Source: https://habr.com/ru/post/1305567/

More articles:


All Articles