[rspec-users] [rails] An authorization question

r_j_h_box-sf at yahoo.com r_j_h_box-sf at yahoo.com
Mon Mar 2 15:22:44 EST 2009

----- Original Message ----
> From: James Byrne <lists at ruby-forum.com>

> Mark Wilden wrote:
> > Actually, it's the other way around.
> > 
> > http://www.pragprog.com/articles/tell-dont-ask
> I have read this article and it leaves me rather more confused than not. 

That's the danger of oversimplification.  Another way to phrase it is, don't rely on objects for things they know.  Rely on them for things they know how to do.

Now it boils down to who's responsible.  The door's lock is responsible for reading the key, and the bolt is responsible for unlocking the door.   The door is only responsible for letting me in, along with some cold air.  The key is a role here, the lock is the controller, and the bolt... okay, the analogy breaks down again.  But consider zones of responibility.

> sam.authorized?(controller_or_model, action)?

I'll suggest that it's the controllers who are responsible for telling what role or other requirements need to be satisfied to get their services, and that it's the job of the user object (maybe by delegating to some role class or objects) to provide the information as to whether those requirements are met.  

I smell something when I think about individual models specifying their requirements.  Front-gate access through the controller actions smells more correct to me.  

If your actions can't be boiled down that atomically, I ask the question, "is there something else wrong?".


More information about the rspec-users mailing list