Justin, I definitely plan on sharing my authorization solution if there is a need for it. Since I am new to Merb, I wanted to use it for a bit to make sure that there were not any basic flaws with my scheme.
Here is a summary of how it works: * A Permission has a name and a list of allowed controllers and actions (with wildcard support). It also supports an :if clause that lets the controller decide if access should be permitted, based on session state and params. * A Role has a name and a set of default Permissions * A user has a Role and extra Permissions * Before every controller call, ensure_authorized is run, by adding a before hook in Application * ensure_authorized gets the Permissions for the current user, which are the default Permissions for the user's role plus the extra Permissions. It then takes the controller_name and action_name and see if the user is authorized for the current action. * If a user is not logged in, they are a guest user, with whatever permissions are associated with the "guest" role. The one part I am not happy about is that I am not integrating with the Merb router. That is, I am not supporting named routes, etc. That would need to be resolved before I consider my scheme acceptable for merb integration. Note that the author of merb-auth says: "I'm working on an authorization component to work with merb-auth(entication) that works in a similar manner but it's not ready yet. If you want to make sure that only an admin uses a particular controller. Test for it in your controller. Authentication != Authorization. Seriously. That is the next logical step for this and is currently being developed." So I will be contacting him soon to see what the status of his authorization component is. ..tony.. On Thu, Dec 11, 2008 at 10:04 AM, Justin Reagor <[email protected]> wrote: > > On Dec 11, 2008, at 12:40 PM, Tony Mann wrote: > > I am using a hand-rolled authorization scheme (more on that in another > post) that allows users to access only specified routes. Thus it protects > the underlying resources from unauthorized manipulation. For my dashboard > controller, I would like this same authorization scheme to be used, and one > way to do this is to access data through the resources instead of the > models. > > > I would also be interested to hear more about this authorization scheme, is > it open sourced or plan to? I have some suggestions for this type of setup, > but without seeing the code it would be imprudent of me to make any. > > :: Justin Reagor > :: [email protected] > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "merb" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/merb?hl=en -~----------~----~----~----~------~----~------~--~---
