Rails可配置的按角色/按角色授权
[英]Rails configurable authorization per-role/crud action
问题描述
I'm working with a Rails 2.3 app that is already using declarative_authorization to handle user permissions. 
我正在使用已经使用declarative_authorization处理用户权限的Rails 2.3应用程序。 Each user belongs to one group (no fancy roles) with permissions on certain models, mostly the regular CRUD actions, but with a few special ones. 每个用户都属于一个组(无特殊角色),对某些模型具有权限,大多数是常规的CRUD操作,但有一些特殊的权限。 This all works fine with declarative_authorization in it's usual out of the box mode. 在通常的开箱即用模式下,使用declarative_authorization都可以正常工作。
We now want to allow admins to set permissions on particular groups of users with regards to model types. 现在,我们希望允许管理员为特定用户组设置有关模型类型的权限。 For example, we create a new group Foo, assign some users to it, and then decide with checkboxes if users in group Foo can c/r/u/d objects of model Bar. 例如,我们创建了一个新的Foo组,为其分配了一些用户,然后使用复选框确定Foo组中的用户是否可以c / r / u / d模型Bar的对象。
I've used acl9 before, and I think I see how I could make that work. 我以前使用过acl9,我想我知道该如何做。 I've been a fan of CanCan lately, but I don't see how do it easily with that. 我最近一直是CanCan的粉丝,但是我不知道该怎么做。 If declarative_authorization can do this, I'll stick with it, but I'm prepared to bite the bullet and switch. 如果declarative_authorization可以做到这一点,我会坚持下去,但是我准备咬牙切齿,转身去做。
What plugin would be the best way to accomplish this? 哪种插件是完成此任务的最佳方法? Is there a way to get declarative_authorization to do the job? 有没有办法让declarative_authorization来完成这项工作? An elegant way to use CanCan? 使用CanCan的一种优雅方式? Are there any gotchas I should watch for, eg database performance? 我应该注意什么陷阱,例如数据库性能?
I could be convinced to upgrade the app to Rails 3.1, but I'd prefer to find a 2.3-compatible solution. 我可以说服我将应用程序升级到Rails 3.1,但是我更愿意找到与2.3兼容的解决方案。
I've seen some similar questions, but no satisfactory answers Rails Dynamic Role-Based Authorization plugin? 我看到过类似的问题,但没有令人满意的答案Rails动态基于角色的授权插件?
and this, for cancan https://github.com/ryanb/cancan/wiki/Role-Based-Authorization 而这,对于cancan https://github.com/ryanb/cancan/wiki/Role-Based-Authorization
1 个解决方案
解决方案1
0 2011-10-24 14:10:05
I'm a fan of the StoneWall gem - authorization checks are in the form of a Ruby block, so in that block you could look up records and see if the user in question has authorization. 我是StoneWall gem的粉丝-授权检查采用Ruby块的形式,因此在该块中,您可以查找记录并查看相关用户是否具有授权。
There's not a lot of documentation, but the idea is: 没有很多文档,但是想法是:
a_user_object.may_read?(object)
If object is a Todo instance, then Stonewall will look int the Todo model and execute the read block 如果object是Todo实例,则Stonewall将看待Todo模型并执行read块
# app/models/todo.rb
stonewall do |s|
s.action :read do |todo, user|
todo.owner == user # only the owner of a todo item may read the item
end
end
This approach makes two things easy: 这种方法使两件事变得容易:
-
readis just a Ruby block, so whatever you want to happen can happenread只是一个Ruby块,所以无论您想发生什么,都可能发生 - actions can be given arbitrary names, so if you want to check to see if a user has permission to comment on a todo item (for example), just create a
s.action :commentand access it witha_user_object.may_comment?(object)可以给动作指定任意名称,因此,如果要检查用户是否有权对待办事项进行评论(例如),只需创建s.action :comment并使用a_user_object.may_comment?(object)访问a_user_object.may_comment?(object)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.