[rspec-users] [rails] An authorization question
andy at elaptics.co.uk
Sun Mar 1 16:05:08 EST 2009
On 28 Feb 2009, at 22:26, Chris Flipse wrote:
> Yes! This is what I was trying (poorly) to get at.
> Responsibility issues might be a large part of why it got factored
> this way to begin with. The global is bad. Really bad, which is
> why I'm trying to figure out something that works better. But I
> believe it was put in place so that a model can be responsible for
> it's own authorization. Some of the models are used and updated
> from several different controllers, so any authorization logic
> external to the model would have had to be repeated in several
> different locations.
> The concern with that might be an over-enthusiastic embrace of DRY.
> However some of the authorization stuff is Really Really Important,
> so embedding the authorization logic in the model itself was seen as
> a way to ensure it's not forgotten about.
> Half of my problem right now is that I'm not even sure what layer to
> put model specific authentication! If it's in the controller layer,
> it's repeated logic in every controller that touches the model in
> question. If it's in the model, the logic is centralized, but now
> your model needs not only to know about Users in general, it needs a
> specific user. You have less chance of someone doing Something They
> Shouldn't due to a forgotten check in a controller, but the test
> setup seems to suffer for it.
> One way or the other, the global User.current is going away --
> soon. It's just a question of what to replace it with, and where.
I was only skim-reading this topic so I may be misunderstanding what
you're after but I think that maybe what you're looking for is
something like http://github.com/stffn/declarative_authorization/tree/master
, a Rails plugin that allows you to specify the authorisation in a
single place for both controllers and at the model level. I've just
started using it for a project and so far it seems a good fit, though
I'm trying to keep the whole app as restful resources which makes
things a little easier.
It also has a few test helper methods which make it really easy to use
with Cucumber and RSpec.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the rspec-users