[rspec-users] [rails] An authorization question

Mark Wilden mark at mwilden.com
Tue Mar 3 02:21:37 EST 2009

On Mon, Mar 2, 2009 at 10:34 PM, Stephen Eley <sfeley at gmail.com> wrote:
> On Tue, Mar 3, 2009 at 1:04 AM, Mark Wilden <mark at mwilden.com> wrote:

>>  user.role.invoices
> Heh.  Which is what Zach said he wanted to do, and it isn't wrong.

Actually, I thought Zach was talking about a method on User called in_role.

> But it doesn't seem right to *me* that roles know about invoices.

Roles know about access to invoices. That's what their purpose is - to
let people do some things and not let them do others.

>>8->  As I see it, if you go that path you end up having to inform
> roles about every *other* model, and consolidating all your business
> logic in one class.

You do consolidate all your _access_ logic in one class, just as you
might consolidate all your sales tax knowledge in another class. That
way you have one source of responsibility for that behavior.
Otherwise, if you added, changed or deleted a role, you'd have to
change every model.

This is basically the Mediator pattern. Pluses and minuses, to be sure.


More information about the rspec-users mailing list