[rspec-users] [rails] An authorization question

Andrew Henson andy at elaptics.co.uk
Sun Mar 1 16:05:08 EST 2009

On 28 Feb 2009, at 22:26, Chris Flipse wrote:
> Yes!  This is what I was trying (poorly) to get at.
> Responsibility issues might be a large part of why it got factored  
> this way to begin with.  The global is bad.  Really bad, which is  
> why I'm trying to figure out something that works better.  But I  
> believe it was put in place so that a model can be responsible for  
> it's own authorization.  Some of the models are used and updated  
> from several different controllers, so any authorization logic  
> external to the model would have had to be repeated in several  
> different locations.
> The concern with that might be an over-enthusiastic embrace of DRY.   
> However some of the authorization stuff is Really Really Important,  
> so embedding the authorization logic in the model itself was seen as  
> a way to ensure it's not forgotten about.
> Half of my problem right now is that I'm not even sure what layer to  
> put model specific authentication!  If it's in the controller layer,  
> it's repeated logic in every controller that touches the model in  
> question.  If it's in the model, the logic is centralized, but now  
> your model needs not only to know about Users in general, it needs a  
> specific user.  You have less chance of someone doing Something They  
> Shouldn't due to a forgotten check in a controller, but the test  
> setup seems to suffer for it.
> One way or the other, the global User.current is going away --  
> soon.  It's just a question of what to replace it with, and where.

I was only skim-reading this topic so I may be misunderstanding what  
you're after but I think that maybe what you're looking for is  
something like http://github.com/stffn/declarative_authorization/tree/master 
, a Rails plugin that allows you to specify the authorisation in a  
single place for both controllers and at the model level. I've just  
started using it for a project and so far it seems a good fit, though  
I'm trying to keep the whole app as restful resources which makes  
things a little easier.

It also has a few test helper methods which make it really easy to use  
with Cucumber and RSpec.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20090301/cf7d2668/attachment.html>

More information about the rspec-users mailing list