All geek questions in one place

Rails authorization in web services

My rail application is pretty much the interface for several web services. I keep the User model, and what about it. I need to add authorization to my web application using Devise for authentication. I noticed that CanCan and acl9 work mostly on instances of ActiveRecord models. Can CanCan or acl9 still fit my needs? Any tips on using any of these libraries in my situation?

Should I look for something that works more on actions instead of instances?

Also, these are both role-based systems, and I am thinking about using a permission-based system. Will they still fit well?

+4
source share
2 answers

I can not speak for acl9 . However, the wiki cancan claims that "it’s easy to create your own [model] adapter if it is not provided." https://github.com/ryanb/cancan/wiki/Model-Adapter In other words, even if you are not using ActiveRecord, you can still use cancan.

Then, if you are not planning on roles, your cancan feature definitions may be a little redundant, for example:

 class Ability include CanCan::Ability def initialize(user) user ||= User.new # guest user (not logged in) can :create, Widget if user.has_permission(:create_widgets) can :delete, Widget if user.has_permission(:delete_widgets) can :herp, Derp if user.has_permission(:herp_derp) end end

It would be great if you could use cancan only for your controller authorization methods, but I don't know if this is possible. Good luck.

+1
source

Just to (finally) respond to acl9 .

Acl9 consists of two separate sections, the Access Control Subsystem , which is all the authorization material that you put in your controller, and the Role Subsystem , which installs / verifies / removes roles from an authenticated user.

The only thing that calls to the access control subsystem is ever current_user.has_role?( role, obj=nil) . Thus, the role subsystem has zero dependency on ActiveRecord, associations, database, etc. is an assistant ( acts_as_authorization_subject ) that adds an ActiveRecord has_role? dependent method to the class has_role? , but completely optional, and you can implement your own has_role? method has_role? (which can also back off when calling super to get acl9) and implement your access checks as you please. So, you said what to do, keep your user model, but let me say that you want the role of your user to be the administrator of the school, but this school is a web service call to some remote system.

 ## in your model class User < ActiveRecord::Base def has_role? role, obj=nil role == :admin && obj == school && school[:admin] == id # <-- just making up how we know we're the admin of the remote school end end def school @school ||= School.get_by_user_id(id) end end ## in your controller class SomeController < ApplicationController before_action :set_school access_control do allow :admin, of: :school end private def set_school @school = School.get_by_id(params[:school_id]) end end
0
source

Source: https://habr.com/ru/post/1392734/

More articles:


All Articles