[英]declarative_authorization permissions on roles
I'm trying to add authorization to a rather large app that already exists, but I have to obfuscate the details a bit. 我正在尝试将授权添加到已经存在的相当大的应用程序中,但我必须稍微模糊一些细节。
Here's the background: 这是背景:
In our app we have a number or roles that are hierarchical, roughly like this: 在我们的应用程序中,我们有一些或多个层次结构的角色,大致如下:
BasicUser -> SuperUser -> Admin -> SuperAdmin
For authorization each User model instance has an attribute 'role' which corresponds to the above. 对于授权,每个用户模型实例都具有与上面对应的属性“角色”。
We have a RESTful controller "Users" that is namespaced under Backoffice. 我们有一个RESTful控制器“Users”,它在Backoffice下命名。 So in short it's Backoffice::UsersController.
所以简而言之就是Backoffice :: UsersController。
class Backoffice::UsersController < ApplicationController
filter_access_to :all
#... RESTful actions + some others
end
So here's the problem: 所以这就是问题所在:
We want users to be able to give permissions for users to edit users but ONLY if they have a 'smaller' role than they currently have. 我们希望用户能够为用户提供编辑用户的权限,但仅限于他们拥有比当前用户更小的角色。 I've created the following in authorization_rules.rb
我在authorization_rules.rb中创建了以下内容
authorization do
role :basic_user do
has_permission_on :backoffice_users, :to => :index
end
role :super_user do
includes :basic_user
has_permission_on :backoffice_users, :to => :edit do
if_attribute :role => is_in { %w(basic_user) }
end
end
role :admin do
includes :super_user
end
role :super_admin do
includes :admin
end
end
And unfortunately that's as far as I got, the rule doesn't seem to get applied. 不幸的是,就我而言,规则似乎并没有得到应用。
I've also tried a couple of variations on the if_attribute: 我还尝试了if_attribute的几个变种:
if_attribute :role => is { 'basic_user' }
if_attribute :role => 'basic_user'
and they get the same effect. 他们得到同样的效果。 Does anybody have any suggestions?
有人有什么建议吗?
I'm sure you solved this problem by now, but we just had a similar issue and hit upon a solution that may be of some help. 我相信你现在已经解决了这个问题,但是我们遇到了类似的问题并找到了可能有所帮助的解决方案。 It may not be possible to handle the case purely in the declarative authorization DSL but you can leverage the DSL to do the right thing in your models and views.
可能无法仅在声明性授权DSL中处理此案例,但您可以利用DSL在模型和视图中执行正确的操作。 Basically, we needed access to the role hierarchy graph.
基本上,我们需要访问角色层次结构图。
The clue is that declarative_authorization has a nifty controller which produces a graph showing the hierarchy of your roles. 线索是declarative_authorization有一个漂亮的控制器,它生成一个显示角色层次结构的图表。 Using the same supporting code they have, you can easily access the ancestors of any role thusly:
使用相同的支持代码,您可以轻松访问任何角色的祖先:
class Role < ActiveRecord::Base
require 'declarative_authorization/development_support/analyzer'
has_many :assignments
has_many :users, :through => :assignments
validates :name, :presence => true
validates :name, :uniqueness => true
def ancestors
Authorization::DevelopmentSupport::AnalyzerEngine::Role.for_sym(self.name.to_sym,
Authorization::Engine.instance).ancestors.map { |r| r.instance_variable_get("@role") }
end
def self_and_ancestors
ancestors << self.name.to_sym
end
end
You can then use this to do things like only offer role selections in the User editor which are the same or inferior to the current_user's role and also deny access or not permit the change in the model to someone trying to promote a user inappropriately. 然后,您可以使用此选项来执行仅在用户编辑器中提供与current_user角色相同或较差的角色选择,并拒绝访问或不允许将模型更改为试图不恰当地提升用户的人。 It's not that useful in the context of the declarative authorization DSL itself since it would need to be parsed first, creating a kind of circular reference.
它在声明性授权DSL本身的上下文中没有那么有用,因为它需要首先被解析,创建一种循环引用。
Hope this helps anyone out there needing it. 希望这可以帮助那些需要它的人。
I have the following approach in my app and it works 我在我的应用程序中有以下方法,它的工作原理
role :super_user do
includes :basic_user
has_permission_on :backoffice_users do
to :edit
if_attribute :role => is {"basic_user"}
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.