Authorization-san allows you to specify access policies in your controllers. The plugin assumes a number of things about the application.

  • If a user has authenticated with the application, it's stored in @authenticated. The method of authentication doesn't matter. It also doesn't matter what you put in @authenticated, as long as it's truthy.

  • @authenticated has either a role attribute or a number of methods to query for the role: admin?, editor?, guest?. When the @authenticated object doesn't have role methods you can't use role based authentication rules, but the rest still works.

What does it look like?

class BooksController < ActionController::Base
  # Visitors can see list of books and book pages
  allow_access :all, :only => [:index, :show]
  # An editor can create new books, but…
  allow_access :editor, :only => [:new, :create]
  # …she can only update her own books.
  allow_access(:editor, :only => [:edit, :update]) { @book = @authenticated.books.find(params[:id]) }
  # Admin users can do it all.
  allow_access :admin

The best place to start learning more is the examples directory in the source.


In order of appearance: