<p>authenticates_access is a Rails plugin for doing model-based access control. It should really be called authorizes_access but the name seems to have stuck. Head on over to <a href="http://github.com/asquared/authenticates_access">github</a> and check it out.</p> <h3>Accessors</h3> <p>These are models which act as security &ldquo;principals&rdquo; - they request access to an object, and the object has rules and methods to determine whether the accessor should be allowed a certain type of access. Examples of possible accessors include users, groups, or API keys. They needn't be derived from ActiveRecord and could be a custom class.</p> <h3>Installing</h3> <pre>ruby script/plugin install git://github.com/asquared/authenticates_access.git</pre> <h3>Controller Setup</h3> <p>In your ApplicationController, load up an accessor before actions take place:</p> <pre>class ApplicationController &lt; ActionController::Base ... before_filter :set_up_accessor ... protected def set_up_accessor ActiveRecord::Base.accessor = yourAccessor end end </pre> <h3>Model Setup</h3> <p>In your models, set up some access rules using class methods. The rules of precedence are as follows.</p> <ol> <li>Rules of the same type are evaluated in the order they appear in the model.</li> <li>If any rule in a list passes, access is allowed. All rules must fail for access to be denied.</li> <li>If no rules of a given type are defined, access is always allowed.</li> <li>Writes to attributes are automatically denied if saves are being denied for the current accessor.</li> <li>Be aware, there is some magic for the predefined allow_owner test for a new record. See below.</li> </ol> <p><tt>authenticates_access</tt> - defines some magical instance methods for views and controllers to determine what is currently allowed. These include <tt>allowed_to_save</tt>, <tt>allowed_to_destroy</tt>, and <tt>allowed_to_write(attr)</tt>. This is automatically done by any of the other methods so it is unlikely you need to do this explicitly.</p> <p><tt>authenticates_saves :with_accessor_method =&gt; :is_admin</tt> - allows the record to be saved (or destroyed) if the current accessor is an admin.</p> <p><tt>has_owner :user</tt> - following <tt>belongs_to :user</tt>, declares that the user is an owner of the object. Creates instance methods <tt>owner</tt>, <tt>owner_id</tt>, <tt>owner_id=</tt>, <tt>allow_owner</tt>.</p> <p><tt>authenticates_saves :with =&gt; :allow_owner</tt> - allows the record to be saved by its owner. This will also allow new records to be saved anonymously. Note that <tt>allow_owner</tt> is an instance method that will be added by <tt>has_owner</tt>.</p> <p><tt>authenticates_creation :with_accessor_method =&gt; :is_registered</tt> - restricts creation to only valid accessors for which <tt>is_registered</tt> returns true. Adds class method <tt>allowed_to_create</tt>.</p> <p><tt>autosets_owner_on_create</tt> - sets the owner ID to the accessor's ID, if the accessor is present. Be careful that the accessor is always of the same type as the owner!</p> <p><tt>authenticates_writes_to :something, :with_accessor_method =&gt; :is_admin</tt> - allows writes to the <tt>something</tt> attribute only if the accessor's <tt>is_admin</tt> method returns true.</p> <p>Here's an example model from the <a href="http://electronics.union.rpi.edu/">RPI Electronics Club</a> website (which is still under development:</p> <pre>class Comment &lt; ActiveRecord::Base belongs_to :member belongs_to :meeting belongs_to :photo has_owner :member autosets_owner_on_create # this will allow a newly created object to be saved anonymously, since we # don't authenticate_creation. But updates will be disallowed. authenticates_saves :with =&gt; :allow_owner authenticates_saves :with_accessor_method =&gt; :is_admin authenticates_saves :with_accessor_method =&gt; :is_officer authenticates_writes_to :member_id, :with_accessor_method =&gt; :is_admin sanitizes_html :body, :allowed_tags =&gt; [ 'p', 'em', 'strong', 'span '], :safe_attributes =&gt; { 'span' =&gt; [ 'style' ] } validates_presence_of :subject validates_presence_of :body ... end</pre> <h3>Views</h3> <p>The instance and class methods defined by the different tests can be used to hide otherwise-unusable links in views. Here are a few examples from the electronics club website:</p> <pre>&lt;% if OpenLab.allowed_to_create %&gt; &lt;%= link_to 'Add lab hours', new_open_lab_path %&gt; &lt;% end %&gt; &lt;td&gt; &lt;% if open_lab.allowed_to_save %&gt; &lt;%= link_to 'Edit', edit_open_lab_path(open_lab) %&gt; &lt;% end %&gt; &lt;/td&gt; &lt;td&gt; &lt;% if open_lab.allowed_to_destroy %&gt; &lt;%= link_to 'Remove', open_lab, :confirm =&gt; 'Are you sure?', :method =&gt; :delete %&gt; &lt;% end %&gt; &lt;/td&gt; &lt;% if @open_lab.allowed_to_write(:member_id) %&gt; &lt;p&gt; &lt;%= f.label :member_id %&gt;&lt;br /&gt; &lt;%= f.collection_select(:member_id, Member.find(:all), :id, :name) %&gt; &lt;/p&gt; &lt;% end %&gt; </pre> <h3>Error Handling</h3> <p>Saves will fail if the access tests don't pass, but currently, there's no message added to the record if it does. If you protect your links and form fields with the <tt>allowed_to_</tt> methods, it shouldn't be an issue. This should be addressed in an upcoming release.</p> 3 2009-06-23T18:16:58-04:00 15 authenticates_access 2009-06-23T19:29:07-04:00