On July 21, 2010 08:33:01 am atmorell wrote: > Hello, > > It would be very useful to have a section with "effective permissions" > for user/objects on the summary page. Let's say I want to know what > user Bob can do. That's not easy to track down manually, and I fear > that I might have given an user to many rights. > > Example on how this could work: > > Form: > Select: user. > Select: model > Select: record > submit > > = > read > update (id, body ) <--- oh no he can change id. > destroy <--- remove this before site goes live. >
You would need to add fields to the "read" line because you can allow a user to fetch the record but only see specific fields in the record. Furthermore, the permission system is not limited to fields in the database because you may have methods that wrap the database fields. For example, the User model has a "crypted_password" that is wrapped by the "password" method. It is very difficult (possibly intractable) to create a general purpose form for identifying privileges. > Maybe also display effective permissions on related models.This is not > that important and it would be totally fine to just manually select > one model/record at a time. > > How do you guys make sure that nothing slips through? Lots of unit testing: 50-90% of my unit tests are permission checking. I have tests CRUD tests for every model for every role. That is, for every role I create a test user for that role. For example, the following code tests the update permissions on the ClubPro model: def test_update_permissions assert @a_club_pro.editable_by?(users(:an_administrator)) assert @a_club_pro.editable_by?(users(:a_organizer)) assert @a_club_pro.editable_by?(users(:a_club_pro)) assert ! @a_club_pro.editable_by?(users(:a_captain)) assert ! @a_club_pro.editable_by?(users(:a_player_1)) assert ! @a_club_pro.editable_by?(Guest.new) # assert @a_club_pro.editable_by?(users(:an_administrator), :name) assert @a_club_pro.editable_by?(users(:a_organizer), :name) assert ! @a_club_pro.editable_by?(users(:a_captain), :name) assert ! @a_club_pro.editable_by?(users(:a_player_1), :name) assert ! @a_club_pro.editable_by?(users(:a_club_pro), :name) assert ! @a_club_pro.editable_by?(Guest.new, :name) # assert @a_club_pro.editable_by?(users(:an_administrator), :email_address) assert @a_club_pro.editable_by?(users(:a_organizer), :email_address) assert @a_club_pro.editable_by?(users(:a_club_pro), :email_address) assert ! @a_club_pro.editable_by?(users(:a_captain), :email_address) assert ! @a_club_pro.editable_by?(users(:a_player_1), :email_address) assert ! @a_club_pro.editable_by?(Guest.new, :email_address) # assert @a_club_pro.editable_by?(users(:an_administrator), :telephone_number) assert @a_club_pro.editable_by?(users(:a_organizer), :telephone_number) assert @a_club_pro.editable_by?(users(:a_club_pro), :telephone_number) assert ! @a_club_pro.editable_by?(users(:a_captain), :telephone_number) assert ! @a_club_pro.editable_by?(users(:a_player_1), :telephone_number) assert ! @a_club_pro.editable_by?(Guest.new, :telephone_number) end Note that there are also :a_player_2, :b_player_1 users that are used when :a_player_2 should have different privileges than :a_player_1 or :b_player_1. This makes it very easy for me to check what users have which privileges. It also has the benefit that my clients can read and understand the user privileges when presented in this format. Finally, my development patterns are such that I develop the business logic in the models before presentation logic in the views, and I tend to be fairly restrictive on the permissions that are granted to each role. This means that I often have to open up privileges a bit to get the user interface to work because sometimes uses the model fields in ways I had not anticipated. I hope this helps. Regards, Henry -- Henry Baragar Instantiated Software -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/hobousers?hl=en.
