I am searching for a gem that handles authentication and authorization at the same time for me.
I tried several combinations of different authentication and authorization gems, but even if the combinations worked, I dont get comfortable with them. I dislike the fact to configure so many things in so many places...
Therefore I am searching for a gem that handles both for me and is easy to configure.
It should work with rails 3.1 and have configurable roles. +1 if I can add own roles. +2 if I can assign the roles per object and dont have to assign them system wide...
To clarify the +2: Lets say I have a forum and a blog with the same user base. I have the admin role in both places and may do everything everywhere. A normal user without special rights is allowed to read and comment in the blog and to write in the forum. The user "klaus" is an author for blogposts but has no special rights in the forum, so there he is a normal user. On the other Hand there is "alfred" who is allowed to moderate the forum but not allowed to do anything more than comments and reading in the blog. There could be a third user that is allowed to write articles in the blog and moderate the forum... With the authorization gems I found and tried so far I had to define systemwide roles that had to implement different behaviour for the subsystems, so I had the following roles in this simple scenario: owner -> Overall side admin blog_author_and_forum_mod -> Is allowed to use full blog and moderate in the forum only_blog_author -> Is allowed to use the blog but is a simple user in the forum only_forum_mod -> Is allowed to moderate the forum, but is not allowed to create his own blogsposts user -> standarduser as described above guest -> Read-Only, is not allowed to comment or write in the forum.
If there are other subsystems added or hidden forums this will get much more complicated...
Additionally I think that the controller should not more about the user as what is absolutely necessary. As I understand the hole mechanisms, authorization should be part of the model, or at least of another subsystem...
If it would be possible I would even let the the database handle the users and create a single databaseuser for every user of my page and handle his permissions to the tables by the database as approach for authorization AND authentication at the same time, but I cant do this because 1) I dont know how to do this in rails and 2) my hoster does not allow more than one dbuser for free...
With this argumentation cancan + any authentication system is more what I want then your approach. But I prefer to have authentication and authorization in one single system.
For some reason everyone seems to always go for right Devise (like a
moth to a flame). Nothing wrong with that, but I've always found
OmniAuth to be far more superior: https://github.com/intridea/omniauth
Depending on who your provider is and what they're using for
authentication/authorization, it's quite easy to accomplish both
simultaneously in one flow. Google uses a hybrid OpenID approach
mixing in oauth authentication as part of the login flow and Facebook
does the same with connect.
OmniAuth is easy to use and well supported by the talented crew over
at Intridea. I've used it personally many times for Google, Facebook,
Twitter, and Vimeo, but it supports many more providers. If the
provider you're looking for isn't there, it's quite easy to add an
extension for them.
On Oct 14, 9:03 am, Norbert Melzer <timmel...@googlemail.com> wrote:
> I am searching for a gem that handles authentication and authorization
> at the same time for me.
> I tried several combinations of different authentication and
> authorization gems, but even if the combinations worked, I dont get
> comfortable with them. I dislike the fact to configure so many things
> in so many places...
> Therefore I am searching for a gem that handles both for me and is
> easy to configure.
> It should work with rails 3.1 and have configurable roles. +1 if I can
> add own roles. +2 if I can assign the roles per object and dont have
> to assign them system wide...
> To clarify the +2:
> Lets say I have a forum and a blog with the same user base. I have the
> admin role in both places and may do everything everywhere.
> A normal user without special rights is allowed to read and comment in
> the blog and to write in the forum.
> The user "klaus" is an author for blogposts but has no special rights
> in the forum, so there he is a normal user.
> On the other Hand there is "alfred" who is allowed to moderate the
> forum but not allowed to do anything more than comments and reading in
> the blog.
> There could be a third user that is allowed to write articles in the
> blog and moderate the forum...
> With the authorization gems I found and tried so far I had to define
> systemwide roles that had to implement different behaviour for the
> subsystems, so I had the following roles in this simple scenario:
> owner -> Overall side admin
> blog_author_and_forum_mod -> Is allowed to use full blog and moderate
> in the forum
> only_blog_author -> Is allowed to use the blog but is a simple user in the forum
> only_forum_mod -> Is allowed to moderate the forum, but is not allowed
> to create his own blogsposts
> user -> standarduser as described above
> guest -> Read-Only, is not allowed to comment or write in the forum.
> If there are other subsystems added or hidden forums this will get
> much more complicated...
I personally use Devise + CanTango (a roles layer on top of CanCan, an authorization provider) and it's really really easy to set it up and get going. You should really try the combo out.
On Sun, Oct 16, 2011 at 2:22 AM, Brandon Black <brandonmbl...@gmail.com>wrote:
> For some reason everyone seems to always go for right Devise (like a > moth to a flame). Nothing wrong with that, but I've always found > OmniAuth to be far more superior: https://github.com/intridea/omniauth
> Depending on who your provider is and what they're using for > authentication/authorization, it's quite easy to accomplish both > simultaneously in one flow. Google uses a hybrid OpenID approach > mixing in oauth authentication as part of the login flow and Facebook > does the same with connect.
> OmniAuth is easy to use and well supported by the talented crew over > at Intridea. I've used it personally many times for Google, Facebook, > Twitter, and Vimeo, but it supports many more providers. If the > provider you're looking for isn't there, it's quite easy to add an > extension for them.
> On Oct 14, 9:03 am, Norbert Melzer <timmel...@googlemail.com> wrote: > > Hi All!
> > I am searching for a gem that handles authentication and authorization > > at the same time for me.
> > I tried several combinations of different authentication and > > authorization gems, but even if the combinations worked, I dont get > > comfortable with them. I dislike the fact to configure so many things > > in so many places...
> > Therefore I am searching for a gem that handles both for me and is > > easy to configure.
> > It should work with rails 3.1 and have configurable roles. +1 if I can > > add own roles. +2 if I can assign the roles per object and dont have > > to assign them system wide...
> > To clarify the +2: > > Lets say I have a forum and a blog with the same user base. I have the > > admin role in both places and may do everything everywhere. > > A normal user without special rights is allowed to read and comment in > > the blog and to write in the forum. > > The user "klaus" is an author for blogposts but has no special rights > > in the forum, so there he is a normal user. > > On the other Hand there is "alfred" who is allowed to moderate the > > forum but not allowed to do anything more than comments and reading in > > the blog. > > There could be a third user that is allowed to write articles in the > > blog and moderate the forum... > > With the authorization gems I found and tried so far I had to define > > systemwide roles that had to implement different behaviour for the > > subsystems, so I had the following roles in this simple scenario: > > owner -> Overall side admin > > blog_author_and_forum_mod -> Is allowed to use full blog and moderate > > in the forum > > only_blog_author -> Is allowed to use the blog but is a simple user in > the forum > > only_forum_mod -> Is allowed to moderate the forum, but is not allowed > > to create his own blogsposts > > user -> standarduser as described above > > guest -> Read-Only, is not allowed to comment or write in the forum.
> > If there are other subsystems added or hidden forums this will get > > much more complicated...
> > TIA > > Norbert
> -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en.
On Fri, Oct 14, 2011 at 15:20, Norbert Melzer <timmel...@googlemail.com> wrote: > t.boolean :may_see_hidden_forum_number1, :default => false > t.boolean :and_so_on, :default => false
> This is what I not wanted to do...
Correct. Any time you have a _number1 and_so_on, that's a smell that indicates a need to break out the association into a separate class (or at least table).
In this case, maybe something like having a set of user roles, whereby a given forum may require one or more (or perhaps *any of* several?) roles in order to administer it, or see it, or whatever, and users have zero or more roles.
For instance, let's say your project is a gathering place with forums for assorted aspects of various religions. (For instance, you may have Hebrew Lessons and Daily Torah Reading for the Jews; Arabic Lessons and Daily Quran Reading for the Muslims; Talking with your Mouth Full and Daily Sauce Recipe for the Pastafarians; and so on.) To prevent holy flame wars, you don't want the members each of them to even see the existence of the other religions' forums. Each forum could have an optional role required in order to see it, and each user could have zero or more roles. (More than one, in case you trust someone to see the forums of multiple religions.) Or, you could have multiple roles per forum, which raises the question of whether you want to require *any* of them, *all* of them, or something more complex.
-Dave
-- LOOKING FOR WORK! What: Ruby (on/off Rails), Python, other modern languages. Where: Northern Virginia, Washington DC (near Orange Line), and remote work. davearonson.com (main) * codosaur.us (programing) * dare2xl.com (excellence) Specialization is for insects. (Heinlein) - Have Pun, Will Babble! (Aronson)
Declarative Authorization is one more choice. For authentication, you would need user object in Crontroller#current_user and should user model need to respond to role_symbols. you can find more details on here<https://github.com/stffn/declarative_authorization>
Thanks, Harun
On Sat, Oct 15, 2011 at 5:58 PM, Dheeraj Kumar <a.dheeraj.ku...@gmail.com>wrote:
> I personally use Devise + CanTango (a roles layer on top of CanCan, an > authorization provider) and it's really really easy to set it up and get > going. You should really try the combo out.
> On Sun, Oct 16, 2011 at 2:22 AM, Brandon Black <brandonmbl...@gmail.com>wrote:
>> For some reason everyone seems to always go for right Devise (like a >> moth to a flame). Nothing wrong with that, but I've always found >> OmniAuth to be far more superior: https://github.com/intridea/omniauth
>> Depending on who your provider is and what they're using for >> authentication/authorization, it's quite easy to accomplish both >> simultaneously in one flow. Google uses a hybrid OpenID approach >> mixing in oauth authentication as part of the login flow and Facebook >> does the same with connect.
>> OmniAuth is easy to use and well supported by the talented crew over >> at Intridea. I've used it personally many times for Google, Facebook, >> Twitter, and Vimeo, but it supports many more providers. If the >> provider you're looking for isn't there, it's quite easy to add an >> extension for them.
>> On Oct 14, 9:03 am, Norbert Melzer <timmel...@googlemail.com> wrote: >> > Hi All!
>> > I am searching for a gem that handles authentication and authorization >> > at the same time for me.
>> > I tried several combinations of different authentication and >> > authorization gems, but even if the combinations worked, I dont get >> > comfortable with them. I dislike the fact to configure so many things >> > in so many places...
>> > Therefore I am searching for a gem that handles both for me and is >> > easy to configure.
>> > It should work with rails 3.1 and have configurable roles. +1 if I can >> > add own roles. +2 if I can assign the roles per object and dont have >> > to assign them system wide...
>> > To clarify the +2: >> > Lets say I have a forum and a blog with the same user base. I have the >> > admin role in both places and may do everything everywhere. >> > A normal user without special rights is allowed to read and comment in >> > the blog and to write in the forum. >> > The user "klaus" is an author for blogposts but has no special rights >> > in the forum, so there he is a normal user. >> > On the other Hand there is "alfred" who is allowed to moderate the >> > forum but not allowed to do anything more than comments and reading in >> > the blog. >> > There could be a third user that is allowed to write articles in the >> > blog and moderate the forum... >> > With the authorization gems I found and tried so far I had to define >> > systemwide roles that had to implement different behaviour for the >> > subsystems, so I had the following roles in this simple scenario: >> > owner -> Overall side admin >> > blog_author_and_forum_mod -> Is allowed to use full blog and moderate >> > in the forum >> > only_blog_author -> Is allowed to use the blog but is a simple user in >> the forum >> > only_forum_mod -> Is allowed to moderate the forum, but is not allowed >> > to create his own blogsposts >> > user -> standarduser as described above >> > guest -> Read-Only, is not allowed to comment or write in the forum.
>> > If there are other subsystems added or hidden forums this will get >> > much more complicated...
>> > TIA >> > Norbert
>> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Talk" group. >> To post to this group, send email to rubyonrails-talk@googlegroups.com. >> To unsubscribe from this group, send email to >> rubyonrails-talk+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-talk?hl=en.
> -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en.
