[rspec-users] [rails] An authorization question

Andrew Premdas apremdas at gmail.com
Tue Mar 3 11:07:30 EST 2009

I think this discussion has gone backwards a bit. Here is what I think the
index method in the invoices controller should be like

def index
    # decide what to do if we can't get collection

Now clearly this needs some work to get it to work ...

1) What is 'invoice'

Rails by default ties 'invoice' to a class in app/model. Usually this
ActiveRecord model class, but it doesn't have to be. We can always put
another layer inbetween (e.g. Presenter) if it makes our code simpler

2) Authentication parameters

Clearly these need to be passed through to get_collection. This can be done
by parameters or by making the authentication available in a wider context.

3) Exceptions

We need an exception hierarchy. NotAuthorised, NotFound etc.

All the controller should do is get the collection and deal with exceptions
if the collection is not available. (n.b. the collection being empty is not

Rails historically has corrupted (compromised, polluted ...) MVC by allowing
concerns of how we get the collection to be included in the controller.
RESTful design has highlighted the problems with this and now we end up with
this situation where things like authentication and authorisation don't
really have an obvious place.

These things - authentication, authorisation and the exception handling (for
the resource) - are services which all resources need access to. They need
to be seperated and applied in a cross-cutting manner. Perhaps we could do
things more elegantly with an Aspect Orientated solution.


2009/3/2 Zach Dennis <zach.dennis at gmail.com>

> Forgot to mention what we did do. We ended up with the following...
> def index
>  if user.has_role?("admin")
>     user.in_role("admin").invoices
>   elsif user.has_role?("associate")
>     user.in_role("associate").invoices
>   else
>    raise AccessDenied
>  end
> end
> To us, the change here is subtle, but important. The controller is
> allowed to ask for invoices from each role, but is not allowed to know
> how find the invoices, that's the behaviour of the role.
> > --
> > - Show quoted text -
> > Zach Dennis
> > http://www.continuousthinking.com
> > http://www.mutuallyhuman.com
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20090303/0b3407c2/attachment-0001.html>

More information about the rspec-users mailing list