pac
unread,Nov 11, 2009, 4:01:28 PM11/11/09Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to acl9-discuss
I'm building a rails app where all authorization follows the has_one
and has_many rails associations. For example every user has exclusive
access to his/her own profile. And beyond that, if anything other
object has an exclusive belongs_to to that user then only the user has
access to that too. If that's all I need, can I handle my access
control by just using a session authentication solution and not worry
about adding an authorization tool (i.e acl9)?
Short example for a small company of website builders. A person signs
up once as a user, and then signs up for various projects as a
manager, coder, or designer.
User.rb #a person
Project.rb #a project
Manager.rb #a role that a user plays on a project
Coder.rb #a role that a user plays on a project
Designer.rb #a role that a user plays on a project
So the roles connect users to projects.
A user can have different roles on different projects.
A user can have more than one role on a project, and thus we would
create two roles for that user/project combination.
I'm making the roles their own separate objects because these role
models will be quite different from one another. Since they all have
exclusive ownership by their proper users, can I completely avoid
using a formal authorization scheme?