[rspec-users] [rails] An authorization question

Chris Flipse cflipse at gmail.com
Sat Feb 28 12:52:54 EST 2009

I've been going back over some legacy code, backfilling tests, and I'm
encountering something that is causing no small amount of pain.  This is in
a mature Rails app, that's  lived and migrated from 1.1 through to 2.1, so
there's a lot of ancient cruft built up in the corners that I've been trying
to clean up.

My question/pain point revolves around authorization.  In at least two
different models in the system  -- areas that are core to the functionality
-- there are models that run through a state transition.  Only certain users
are allowed to make those transitions, however.  You're basic "only an admin
can publish an article" kind of restrictions.

These models show up across most of the app -- several different
controllers.  As such, long, long ago, someone patched updated the site
authentication code to assign a User.current singleton inside the
login_required filter.  This is then used by *several* models, sometimes to
populate an updated_by stamp, sometimes it's actually used within a models
validations(!), and it's definately used within some of the state-transition

Now, this is really just a global variable by another name, and it's pretty
well embedded after two years.  I've come upon a whole bunch of different
pain points in trying to setup data (real data) within the cucumber steps
I've been backfilling.  Lacking any support of injection, I end up doing a
lot of juggling of the User.current value, just to get some test data built
and in the right set of states ... and while I can bury the temporary
reassignments necessary inside a block, it still feels like it's an
intractable mess.

I know *why* this was originally done -- to avoid having to pass User
objects around all the time, and it does _appear_ to keep the API clean --
but the hidden dependancy isn't really clean.

So, does anyone have any suggestions of how to easily manage model level
user authorization?

// anything worth taking seriously is worth making fun of
// http://blog.devcaffeine.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20090228/3950f1f9/attachment.html>

More information about the rspec-users mailing list