Using rails associations to handle authorization?

1 view
Skip to first unread message

pac

unread,
Nov 11, 2009, 4:01:28 PM11/11/09
to acl9-discuss
I'm building a rails app where all authorization follows the has_one
and has_many rails associations. For example every user has exclusive
access to his/her own profile. And beyond that, if anything other
object has an exclusive belongs_to to that user then only the user has
access to that too. If that's all I need, can I handle my access
control by just using a session authentication solution and not worry
about adding an authorization tool (i.e acl9)?

Short example for a small company of website builders. A person signs
up once as a user, and then signs up for various projects as a
manager, coder, or designer.
User.rb #a person
Project.rb #a project
Manager.rb #a role that a user plays on a project
Coder.rb #a role that a user plays on a project
Designer.rb #a role that a user plays on a project

So the roles connect users to projects.
A user can have different roles on different projects.
A user can have more than one role on a project, and thus we would
create two roles for that user/project combination.

I'm making the roles their own separate objects because these role
models will be quite different from one another. Since they all have
exclusive ownership by their proper users, can I completely avoid
using a formal authorization scheme?

Jason King

unread,
Nov 12, 2009, 2:10:56 AM11/12/09
to acl9-d...@googlegroups.com
Yes.

Basically your role tables do what Acl9 does in the backend, except
you're doing it specifically for your problem space. You'll be good
as long as you only access the project from the authenticated user
(ie. from your session authentication solution - as you mention)
through the relevant role.

Reply all
Reply to author
Forward
0 new messages