[rspec-users] [rails] An authorization question

Stephen Eley sfeley at gmail.com
Tue Mar 3 00:01:03 EST 2009

On Sat, Feb 28, 2009 at 5:26 PM, Chris Flipse <cflipse at gmail.com> wrote:
> Half of my problem right now is that I'm not even sure what layer to put
> model specific authentication!  If it's in the controller layer, it's
> repeated logic in every controller that touches the model in question.  If
> it's in the model, the logic is centralized, but now your model needs not
> only to know about Users in general, it needs a specific user.

My two cents:

1.) I feel authorization belongs in two places: models and views.
Models need to know what they're allowed to do.  Authorization becomes
a scope on reads and a validation on updates.  Views (specifically
helper methods) need to know whether they're allowed to show that
"Edit" button, etc.  That's not critical path, that's navigation,
maybe one step up from cosmetics.  I don't see a reason why
controllers need to know as long as they can handle nils coming back
from the models.

2.) In both cases, you need to know who the current user is, and
that's fine.  Figuring it out is the job of *authentication*, not
authorization.  Your authentication stack just needs to give you a
hook where you can ask it for the user, and your authorization stack
should handle it sensibly if the answer is 'nil.'  The
restful_authentication plugin implements current_user as a global
Application method, but that's not the only way to do it.

3.) Consider separating the authorization stuff from the core business
logic of your app, and implementing it as a module on the authorizable
classes instead.  Then if your basic authz behavior changes, you
(ideally) only have to change it in one place.  And it doesn't mess up
the readability of your main behavior.

...And because everyone else is doing it, here are my design notes on
my own overcomplicated authorization system (which, caveat, has yet to
be built, but I wrote this all down anyway to get it out of my head):


I know it looks rather overdone, and it's perfectly possible that it
is, but my requirements were sincere:

* it needs to handle both users and groups, and
* I wanted it to be hierarchical, such that privileges on parent pages
trickle down to their children.

Between those two constraints, I couldn't off the top of my head think
of anything more elegant.

Have Fun,
   Steve Eley (sfeley at gmail.com)
   ESCAPE POD - The Science Fiction Podcast Magazine

More information about the rspec-users mailing list