File: README — Documentation for langalex-totally-restful-authorization (0.0.4)

totally restful authorization

This plugin adds an authorization layer to your rails app that is <del>completely</del> totally transparent to your restful controllers. all you have to is include a module in your controller and provide 4 methods in your model that control who is allowed to access it or not. the controllers will then automatically block or allow the usual crud actions (new, create, edit, update, show, destroy) to run or not.

How it works

Call check_authorization in your restful controller…

class ApplicationController < ActionController::Base

check_authorization

end

… and then declare the permissions in your model:

class User updatable_by :admin # updatable if updater.admin? return true updatable_by :admin, :only => [:description] # only allow some attribute to be updated updatable_by :self # special role self, allows the object to update itself updatable_by :associated => :friend # allow user.friend to update the object viewable_by :anyone # special role, includes nil viewable_by :admin, :condition => lambda{|user, viewer| user.non_admin? && viewer.account_activated?} # use conditions for more complex permissions destroyable_by [:admin, :root] # declare multiple roles at once end

Or implement one or more of these four methods directly:

class User

def updatable_by?(user, field = nil)
  true
end

def creatable_by?(user, field = nil)
  true
end

def destroyable_by?(user)
  true
end

def	viewable_by?(user)
  true
end

end

The fields parameter is either nil to determine if an object can be updated at all or a symbol of a field name. The user parameter is taken from the current_user in your controller (so you have to provide a current_user method, or install restful_authentication or something like that).

From now on your controller will run a before filter before the new/create/edit/update/destroy/show actions to make sure that the current_user is allowed to update/create/destroy/view the model. If you don’t declare any permissions no actions can be performed on your model.

For questions, patches etc. contact alexupstream-berlin.com