forked from mrchucho/easy-access
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
91 lines (65 loc) · 2.64 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
Easy Access
===========
Easy access control and roles for CRUD operations.
Easy Access provides a mixin for your User model that adds a simple role-based
access control system for the standard CRUD operations. A default access control
routine is supplied, but it can be overridden on a model-by-model basis allowing
for very fine-grained control.
Every CRUD operation has a corresponding User method and model hook. Implement
the model hooks(e.g. can_be_viewed_by?, can_be_edited_by?, etc.) and/or the
default AccessSystem::has_privilege_for? to customize your specific access
controls.
Installation
============
./script/plugin install http://github.com/mrchucho/easy-access.git
./script/generate easy_access Role
Example
=======
The can_(create|view|update|destroy)? methods can safely be used in any Controller:
class RestrictedModelController < ApplicationController
def create
@model = RestrictedModel.build(params[:model])
raise PermissionDenied unless current_user.can_create?(@model)
@model.save!
redirect_to restricted_model_path(@model)
end
def show
raise PermissionDenied unless current_user.can_view?(@model)
end
def update
@model = RestrictedModel.find(params[:id])
raise PermissionDenied unless current_user.can_update?(@model)
@model.save!
redirect_to restricted_model_path(@model)
end
def destroy
@model = RestrictedModel.find(params[:id])
raise PermissionDenied unless current_user.can_destroy?(@model)
@model.destroy
redirect_to restricted_models_path
end
By default AccessSystem::has_privilege_for? provides coarse-grained access
controls. To implement fine-grained access control for a specific model:
class RestrictedModel < ActiveRecord::Base
# ...
def can_be_viewed_by?(user)
user == self.user
end
def can_be_updated_by?(user)
if self.state == :closed
false
else
user == self.user
end
end
def can_be_destroyed_by?(user)
user.roles.any?{|r| r.name.eql?("Destroyer")}
end
class ReadOnlyModel < ActiveRecord::Base
def can_be_viewed_by?(user); true; end
def can_be_destroyed_by?(user); false; end
def can_be_created_by?(user); false; end
def can_be_updated_by?(user); false; end
Note that you only need to override those hooks for which more specific
controls are required.
Copyright (c) 2008 Ralph M Churchill, released under the MIT license