Fine Grained Access to Objects
1 view
Skip to first unread message
tom hartwell
May 16, 2009, 11:34:46 AM5/16/09
to declarative_authorization
Is there a best practice to handling access to particular objects? An
example follows.
User A creates and Organization object O. O.owner = A
User A wants user B and user C to also have all privs to CRUD O.
In this scenario it seems like a object_roles table is required,
similar to what is created in rails-authentication-plugin, where it's
polymorphic. This would keep it very simple, but is there a best
practice that is different for declarative_auth?
object_role = ObjectRole.new
object_role.user_id = B.id
object_role.object_type = Organization
object_role.object_id = O.id
object_role = ObjectRole.new
object_role.user_id = C.id
object_role.object_type = Organization
object_role.object_id = O.id
example follows.
User A creates and Organization object O. O.owner = A
User A wants user B and user C to also have all privs to CRUD O.
In this scenario it seems like a object_roles table is required,
similar to what is created in rails-authentication-plugin, where it's
polymorphic. This would keep it very simple, but is there a best
practice that is different for declarative_auth?
object_role = ObjectRole.new
object_role.user_id = B.id
object_role.object_type = Organization
object_role.object_id = O.id
object_role = ObjectRole.new
object_role.user_id = C.id
object_role.object_type = Organization
object_role.object_id = O.id
Steffen Bartsch
May 16, 2009, 11:44:22 AM5/16/09
to declarative_...@googlegroups.com, tom hartwell
Am Samstag, 16. Mai 2009 schrieb tom hartwell:
> In this scenario it seems like a object_roles table is required,
> similar to what is created in rails-authentication-plugin, where it's
> polymorphic. This would keep it very simple, but is there a best
> practice that is different for declarative_auth?
> In this scenario it seems like a object_roles table is required,
> similar to what is created in rails-authentication-plugin, where it's
> polymorphic. This would keep it very simple, but is there a best
> practice that is different for declarative_auth?
If you need an ACL-like way of user A to assign CRUD-permissions to B and C,
this is the way to go. On the other hand, if there is another connection
between A, B, and C that leads to the permissions, you'd use that
relationship instead.
Steffen
Message has been deleted
tom hartwell
May 29, 2009, 11:40:54 PM5/29/09
to declarative_authorization
Steffen,
I appreciate the response. I am revisiting the concept of an ACL and
implementing it, but I'm having trouble seeing how it will integrate
w/
decl_auth. I've created an AuthorizedModel model that
has attrs :user_id, :model_id, :model_type, and I'd like to do
something
like:
<code>
role :league_admin do
includes :guest
has_permission_on :leagues do
to :manage
if_attribute <user.authorized_objects.contains
(AuthorizedModel.find
(:model_id == league.id && :model_type == "League"))
end
end
</code>
Sorry for the messy pseudo-code in the if attribute arg, I'm just not
clearly seeing the solution. Any guidance would be appreciated.
Thanks,
Tom
On May 16, 8:44 am, Steffen Bartsch <sbart...@tzi.de> wrote:
> Am Samstag, 16. Mai 2009 schrieb tom hartwell:
>
> > In this scenario it seems like a object_roles table is required,
> > similar to what is created in rails-authentication-plugin, where it's
> > polymorphic. This would keep it very simple, but is there a best
> > practice that is different for declarative_auth?
>
> If you need anACL-like way of user A to assign CRUD-permissions to B and C,
I appreciate the response. I am revisiting the concept of an ACL and
implementing it, but I'm having trouble seeing how it will integrate
w/
decl_auth. I've created an AuthorizedModel model that
has attrs :user_id, :model_id, :model_type, and I'd like to do
something
like:
<code>
role :league_admin do
includes :guest
has_permission_on :leagues do
to :manage
if_attribute <user.authorized_objects.contains
(AuthorizedModel.find
(:model_id == league.id && :model_type == "League"))
end
end
</code>
Sorry for the messy pseudo-code in the if attribute arg, I'm just not
clearly seeing the solution. Any guidance would be appreciated.
Thanks,
Tom
On May 16, 8:44 am, Steffen Bartsch <sbart...@tzi.de> wrote:
> Am Samstag, 16. Mai 2009 schrieb tom hartwell:
>
> > In this scenario it seems like a object_roles table is required,
> > similar to what is created in rails-authentication-plugin, where it's
> > polymorphic. This would keep it very simple, but is there a best
> > practice that is different for declarative_auth?
>
Steffen Bartsch
May 30, 2009, 8:36:14 AM5/30/09
to declarative_...@googlegroups.com, tom hartwell
Am Samstag, 30. Mai 2009 schrieb tom hartwell:
> I've created an AuthorizedModel model that
> has attrs :user_id, :model_id, :model_type, and I'd like to do
> something
> like:
> I've created an AuthorizedModel model that
> has attrs :user_id, :model_id, :model_type, and I'd like to do
> something
> like:
if_attribute always starts off from the current object, a league in this case.
role :league_admin do
includes :guest
has_permission_on :leagues do
to :manage
if_attribute :authorized_users => contains {user}
end
end
Now, your league model only needs a standard Rails
has_many :authorized_models
has_many :authorized_users, :through => :authorized_models, :source => ...
Steffen
Reply all
Reply to author
Forward
0 new messages