Geek Answers Handbook

Best way to implement small-scale authorization for a web application?

I am working on a Rails web application and it is currently used by approximately 20 users.

Some parts of the application are available only to some users, so we already have a basic authorization structure, which I implemented using the act_as_authenticated plugin.

User rights depend on which department they work in, for example, the administration has access to all parts of the application, and accounting only has access to parts related to accounting, and sales have access only to parts related to sales, etc. d.

On the other hand, users see links to actions for which they have invalid privileges. For example, those in the sales department see a link to financial records in the main menu, but when they click on it, nothing happens. This is because AFAIK does not have an effective way to request user rights using act_as_authenticated.

I want to change this in two ways:

  • I want to introduce a smaller authorization. Currently, authorization is performed at the controller level. I want to do this at the action or model level. For example, I want sales staff to be able to create and update payments, but not delete them.

  • I want to be able to effectively request user privileges, so I can remove unnecessary (and confusing) links from the interface.

, ?

, , , .

, :

def authorized?
  current_user.role.foo? or current_user.role.bar?
end

, , , :

+------------+------------+---------+
| department | controller | action  |
+------------+------------+---------+
| accounting | payments   | index   |
| accounting | payments   | new     |
| accounting | payments   | create  |
| accounting | payments   | edit    |
| accounting | payments   | update  |
| accounting | payments   | destroy |
| sales      | payments   | new     |
| sales      | payments   | create  |
| sales      | payments   | edit    |
| sales      | payments   | update  |
+------------+------------+---------+


+------------+----------+-------+--------+------+--------+--------+
| department | model    | list  | create | read | update | delete |
+------------+----------+-------+--------+------+--------+--------+
| accounting | payments | TRUE  | TRUE   | TRUE | TRUE   | TRUE   |
| sales      | payments | FALSE | TRUE   | TRUE | TRUE   | FALSE  |
+------------+----------+-------+--------+------+--------+--------+
+5
3

, , - . :

  • (, )
  • - (, )
  • (, - )
  • - (, , )
  • - (, )

. , . ( Rails .)

- , , ( ), , - ( ) . , , , , .

, Rails, ( , , , , ) /.

tweaked rails-authorization-plugin, , , ( , , ).

+3

" " "" ; "" " " . , , , . , , .

/

0

, , . , , , , (, " " " xxx" )

, , , , :

№1, .

№ 2, . , , ( ) . " " /, . , " ".

0

More articles:


All Articles