[rspec-users] [rails] An authorization question

James Byrne lists at ruby-forum.com
Mon Mar 2 15:59:04 EST 2009

unknown wrote:

>> sam.authorized?(controller_or_model, action)?
> I'll suggest that it's the controllers who are responsible for telling 
> what role or other requirements need to be satisfied to get their 
> services, and that it's the job of the user object (maybe by delegating 
> to some role class or objects) to provide the information as to whether 
> those requirements are met.

That is what I thought that I was doing.  The Controller sends the 
message to the User Instance telling it to answer the question: are you 
authorized to perform "controller + action"?; or role, or whatever the 
controller sends as the criteria to be met.  It seems to me necessary 
that the User model receive the context of the authorization call.  Now 
the actual check on whether user x is authorized to perform the create 
method of the PaymentReceivedController is done in the #authorized? 
method of User.

Is this what should be done or is there a different way?

Posted via http://www.ruby-forum.com/.

More information about the rspec-users mailing list