Geek Answers Handbook

What is the purpose of Rolify?

Hi, I am using rollify and just realized that in fact I am not using it fully.

I'm currently doing something in my controller, for example, re-redirecting users if current_user.has_role? :whatever_role current_user.has_role? :whatever_role , and allows users to have any other role ...

Someone asked a stackoverflow question about what needs to be done, and when I try to answer it, I realized that I was doing it wrong.

Now, this is where my confusion begins ... Inside the .rb ability I have:

 user ||= User.new # guest user (not logged in) if user.has_role? :consumer can :manage, Review else can :read, Review end

Now let's say that I am adding a consumer role to the user:

 x=User.last x.add_role :consumer # => #<Role id: 10, name: "consumer", resource_id: nil, resource_type: nil, created_at: "2013-04-18 23:00:46", updated_at: "2013-04-18 23:00:46">

That's right, so the role is created. I can verify this by doing:

 x.has_role? :consumer => true

Now I expect this to provide a way to manage reviews ...

 x.has_role? :consumer, Review => true

but not for other models ... here I try products

 x.has_role? :consumer, Product => true

In addition, when I look at the โ€œrequest resource rolesโ€ and try to request applicable roles for reviews, I cannot find the roles attached:

 Review.first.applied_roles => []

Can someone please explain please to me. Thanks

+4
source share
1 answer

My answer is decorating the question this reddit post:

Authentication establishes User who they claim to be.

Authorization establishes that User can perform the task, whether read or write, after they have established their identity.

Roles are just general authorization templates for all users: this User can be allowed as such, that User can be allowed in this way.

The component that is not here is Permissions: the relationship between the installed Role and some controller action.

Roles themselves do not make promises about what action a User can do. And remember - authorization is all action. Roles Summarize which User you are dealing with. They exist to prevent you from requesting each User for a giant list of Lingerie Permissions . They announce: this User is Role ! Of course they have Permission to do this!

There are many types of Permission . You can save them in the database if you want your sufficiently authorized Users be able to edit them together with your Roles , if they must also be configurable. Or, if your User's Roles is static enough, you can control Permissions in advance using Ruby code:

  • When I want to have custom Roles and Permissions , that is, for a client application that you transfer to someone at the end of the contract, I implement User :has_many Roles and Role :has_many Permissions using my own custom models, and then add the hook before_filter :authorize into my ApplicationController and write on it the authorize method that knows how to fulfill these expectations or display page 403 for those people who insist on manually entering the URLs of the thing that they hope to expose actions those things to which they should not have before Tupa.

  • When I just want to set up Roles , I use Ryan Bates CanCan Stone .

  • When I want to have predefined Roles and Permissions , I use Rolify in combination with Nathan Long Authority to get a delightfully flexible Permissions class based on Authorizer classes.

Both Roles and Permissions can be either class-based or instance-based, depending on your use case. You can, say, with the rolify capabilities that you just discovered, decide that Users can only act as Role in certain instance-based circumstances. Or, a generic Roles of User can only perform an action if the object they are trying to execute has a specific type.

To study their permutation, subject to the application of the blog application, following the formula

a User , which is / an Role class/instance can action a / an / all / any /, which ( class/instance ) Permission :

  • Role class and Permission class:

    A User who is Admin can delete any Post .

  • Role class and Permission instance:

    A User who is Admin can edit all Posts that they approved to be published

    This would be simpler if the posted messages had an approved_by field indicating a User identifier. (Use a gem state machine for this kind of situation.

  • Role instance and Permission class:

    A User who an Author of a Post can comment on any Post

    Please note that such a situation is rare, therefore there are no gems for information about this situation, except, perhaps, the ability to manage predetermined circumstances, such as rolify and Authority ; or, if you must pass this decision on to your client, your own decision.

  • Role instance and Permission instance:

    A User that an Author of a Post can edit that Post .

TL DR:

  • rolify intended only for roles: grouping Users on Permission : access to the action of the controller. You have yet to decide how you are going to manage Permissions .

I hope this helps you understand the position of rolify in the grand scheme of authentication and authorization!

+27
source

More articles:


All Articles