On 1/16/06, Mik Mifflin <[EMAIL PROTECTED]> wrote:
> Actually, that's not really what I was looking for. Imagine adding roles
> through the web interface, how then do you export them using this stuff? It
> looks like something that would be OK in a migration or rake task, I guess,
> but it doesn't really fit with the interface you already provided. I also
> think it's overkill.
It's my feeling that the relationship between Roles and Permissions is
something that should be stated concretely as a fundamental and
important part of your final application, hence why it should be
codified explicitly somewhere in Ruby. You're right to draw the
parallel with migrations - it's a bit more work than just
dumping/restoring the schema or data, but then it doesn't tie you to a
particular implementation of Roles either. It also forces you to very
explicitly state the permissions for each Role in the system -
examining the raw table/relationship data doesn't easily let you
visually audit the security of your system.
I think what you're suggesting is a slightly more ad-hoc development
process for user roles than we (at my company) can accept, but it
might suit other people. However, I also am not sure that it's ever
good practice to be copying data from your development environment to
your production environment; if you're deploying an application, it
should be starting from a known, tested state independent of any other
database. That's just my personal feeling though - I'm sending this to
the engines users list, and everyone is welcome to comment.... any
thoughts guys?
> A suggestion on the meta-language though, the
> UserController.action_groups.xxx stuff is ugly.
As I said, at the moment it's just all hypothetical, and what I wrote
there was merely an illustration :)
(message history follows for the benefit of engines-users...)
- james
On 1/16/06, Mik Mifflin <[EMAIL PROTECTED]> wrote:
> Actually, that's not really what I was looking for. Imagine adding roles
> through the web interface, how then do you export them using this stuff? It
> looks like something that would be OK in a migration or rake task, I guess,
> but it doesn't really fit with the interface you already provided. I also
> think it's overkill.
>
> A suggestion on the meta-language though, the
> UserController.action_groups.xxx stuff is ugly. So is the
> add_permissions stuff. This would be prettier:
>
> role 'Admin' do|r|
> r.permissions += "user/#edit user/#admin user/#view admin/index"
> end
>
> Or more simply:
> role('Admin').permissions += "user/#edit user/#admin user/#view admin/index"
>
> The hash marks would have special meaning, but the huge amount of repetition
> is gone. Take as much of the code out of the front, and put it in the back.
>
> Come to think of it, couldn't you just extend Role#permissions?
>
> Role.find_by_name('Admin').permissions += "user/#edit user/#admin user/#view
> admin/index"
>
> Now utilize method_missing in Role, for something like this:
>
> Role.admin_role.permissions += "user/#edit user/#admin user/#view
> admin/index"
>
>
> On 1/15/06, James Adam <[EMAIL PROTECTED]> wrote:
> > Hi Mik,
> >
> > You've just brought up an issue that we were thinking about at work on
> > Friday - we need some means of defining Roles that is 'above' the
> > database. What we're going to develop is a kind of meta-language for
> > specifying these roles (Editor, Updater, Viewer, User, Admin,
> > Whatever) programmatically in your application, so you can then run a
> > simple rake task to have them created automatically on whatever
> > database you're in from scratch. Does that sound like it would solve
> > your problem?
> >
> > For a sneak preview, it will end up being something like this:
> >
> > class UserController
> > action_group :edit, [:edit, :change_password, :change_details]
> > action_group :view [:show, :list]
> > action_group :admin [:destroy, :edit_user]
> > ...
> > end
> >
> > ... then somewhere else, to create some of the roles:
> >
> > role "Admin" do |r|
> > r.add_permissions UserController.action_groups.edit
> > r.add_permissions UserController.action_groups.admin
> > r.add_permissions UserController.action_groups.view
> > r.add_permission "admin/index"
> > end
> >
> > role "User" do |r|
> > r.add_permissions UserController.action_groups.view
> > end
> >
> > # etc etc etc
> >
> > Nothing's finalized, certainly not the exact syntax, but that's the
> > kind of thing we're thinking about implementing. Let me know what your
> > thoughts are...
> >
> > - james
> >
> > On 1/16/06, Mik Mifflin <[EMAIL PROTECTED]> wrote:
> > > I like user_engine, but I was annoyed that I had no way of moving my
> roles
> > > and permissions_roles tables from my development machine to web server
> > > reliably. I wrote some rake tasks to take care of this, and I think
> other
> > > people will find them useful. Perhaps they should be included with
> > > user_engine's rake tasks?
> > >
> > > I had a few problems implementing it. You can't expect IDs to be the
> same
> > > across development machines and the web server, and it's difficult to
> dump
> > > the join table without the IDs. I solved them though, but these were my
> > > first rake tasks. Not sure if I did everything "right".
> > >
> > > --
> > > - Mik Mifflin
> > > "Whether freedom is going to survive at all is in doubt, but we've got
> to
> > > try" - RMS
> > >
> >
>
>
>
> --
>
> - Mik Mifflin
> "Whether freedom is going to survive at all is in doubt, but we've got to
> try" - RMS
_______________________________________________
engine-users mailing list
[email protected]
http://lists.rails-engines.org/listinfo.cgi/engine-users-rails-engines.org
