Skip to content

Security: declarative authorization

barriault edited this page Oct 17, 2011 · 5 revisions

Here are some tips on using declarative_authorization with ActiveScaffold’s security model.

Settings

security.default_permission global

From the Security page:

A boolean value for what a security check should return in the absence of a relevant method. The default is true, which lets ActiveScaffold work out of the box. If you need to be security conscious in your application, you should consider setting this to false so that nothing works until you permit it.

Unfortunately, this doesn’t seem to work. In order to get things working I had to comment the line out so that it would default to true. I also added a few other methods to the ApplicationController.

class ApplicationController < ActionController::Base

  # Set up the current user for declarative_authorization
  before_filter { |c| Authorization.current_user = c.current_user }

  # Handle security errors
  rescue_from ActiveScaffold::ActionNotAllowed, :with => :permission_denied

  ActiveScaffold.set_defaults do |config|
    # config.security.default_permission = false
  end

  def permission_denied
    flash[:error] = "Sorry, you are not allowed to access that page."
    redirect_to root_url
  end
end

Controllers

Do not use filter_resource_access in your controllers. Instead, implement the #{action_name}_authorized? methods like this:

def create_authorized?
  permitted_to? :create, :posts
end

def show_authorized?(record = nil)
  permitted_to? :read, :posts
end

def list_authorized?
  permitted_to? :read, :posts
end

def update_authorized?(record = nil)
  permitted_to? :update, :posts
end

def delete_authorized?(record = nil)
  permitted_to? :delete, :posts
end

Models

Do not use using_access_control at the top of your models. Instead implement the authorized_for_#{crud_type}? methods like this:

def self.authorized_for :create
  self.permitted_to? :create
end

def authorized_for_read?
  permitted_to? :read
end

def authorized_for_update?
  permitted_to? :update
end

def authorized_for_delete?
  permitted_to? :delete
end

And that is pretty much it. If you don’t implement these methods on a particular model/controller, then you won’t have any security on them.

Clone this wiki locally