This library provide a very simple authorization system. It should work fine with most of the authentication plugins (and gems) out there, even though little testing has been done in this regard. There are a lot of similar plugin/gems and probably this is not better than any others (see steffenbartsch.com/blog/2008/08/rails-authorization-plugins/ for a nice review). I already used it in several small projects and it worked great for my needs.
install the role_based_authorization by issuing:
gem install role_based_authorization
or by adding config.gem "role_based_authorization" to your rails config file and then running 'rake gems:install'
in your application controller: include the module RoleBasedAuthorization:
class ApplicationController < ActionController::Base […] include RoleBasedAuthorization […] end
in your controller classes: use the permission statements (described below) to grant and deny authorizations to the controller methods.
The inclusion of RoleBasedAuthorization serves three purposes: it allows subclasses of the application controller to use the 'permit' method during their definition, it and provides an “authorized?” method that implements the authorization logic, and it creates an helper method to be used in views.
The library poses few and very reasonable constraints on your application. Namely, it requires:
that your controllers provide a 'current_user' method
that the user object (returned by the 'current_user' method) implements the following two methods:
role: returning the role of the current user; roles can be anything (I personally use integers). This is usually implemented by adding a 'role' column to your model.
You can specify your authorization logic by adding a number of 'permit' calls to your controllers. Permissions granted in a controller apply to all its subclasses. Since usually all controllers inherit from the application controller, this allows one to authorize all actions for the 'admin' role by telling it so in the application controller.
An important thing to keep in mind is that role_based_authorization assumes that EVERYTHING IS FORBIDDEN unless otherwise specified. Then, if you do not specify any permission rule, you will end up with a very secure (though useless) application.
The permission statement takes the form:
permit :actions => [list of actions], :to => [list of roles], :if => lambda_expression, :object_id => object_id_symbol
you can add any number of these in anyone of your controller.
the list of roles interested by this rule. The actual contents of this list depends on what your application defines to be a role. If you use integers, it could be a vector like [1,4] or as [ROOT, ADMIN], where ROOT and ADMIN are symbolic costants containing the corresponding integer values. You can specify all roles by specifying :all in place of the role list.