[英]Rails Authorization on Web Services
My rails app is pretty much a front-end to several web services. 我的rails应用程序几乎是几个Web服务的前端。 I persist my User model, and that's about it. 我坚持我的用户模型,就是这样。 I need to add authorization to my web app, using Devise for authentication. 我需要使用Devise进行身份验证,为我的Web应用添加授权。 I've noticed CanCan and acl9 seem to work mostly on instances of ActiveRecord models. 我注意到CanCan和acl9似乎主要用于ActiveRecord模型的实例。 Would CanCan or acl9 still fit my needs? CanCan或acl9能否满足我的需求? Any tips on using either of these libraries in my situation? 在我的情况下使用这些库中的任何一个的任何提示?
Should I look for something that works more on actions instead of instances? 我应该寻找更多关于行动而不是实例的东西吗?
Also, these are both Role based systems, and I'm thinking of using a permission based system. 此外,这些都是基于角色的系统,我正在考虑使用基于权限的系统。 Would they still be a good fit? 他们仍然适合吗?
I can't speak for acl9
. 我不能说acl9
。 However, the cancan
wiki does claim that "It is easy to make your own [model] adapter if one is not provided." 然而, cancan
确实声称“如果没有提供,很容易制作自己的[型号]适配器。” https://github.com/ryanb/cancan/wiki/Model-Adapter In other words, even though you're not using ActiveRecord, you might still be able to use cancan. https://github.com/ryanb/cancan/wiki/Model-Adapter换句话说,即使你没有使用ActiveRecord,你仍然可以使用cancan。
Then again, if you're not planning on having roles, your ability definitions in cancan might be a little redundant looking, eg.: 然后,如果你没有计划拥有角色,你在cancan中的能力定义可能有点多余,例如:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
can :create, Widget if user.has_permission(:create_widgets)
can :delete, Widget if user.has_permission(:delete_widgets)
can :herp, Derp if user.has_permission(:herp_derp)
end
end
It would be great if you could use cancan just for its controller action authorization methods, but I don't know if that's possible. 如果您可以将cancan仅用于其控制器操作授权方法,那将会很棒,但我不知道这是否可行。 Good luck. 祝好运。
Just to (finally :) answer for acl9 . 只是为了(最后:)回答acl9 。
Acl9 is composed of two very separate pieces, the Access Control Subsystem which is all the authorizing stuff you put in your controller, and the Role Subsystem which is setting/checking/removing roles from an authenticated user. Acl9由两个非常独立的部分组成,即访问控制子系统 ,它是您放入控制器的所有授权内容,以及角色子系统 ,它是从经过身份验证的用户设置/检查/删除角色。
The only thing that the Access Control Subsystem ever calls is current_user.has_role?( role, obj=nil)
. 该访问控制子系统调用过 的唯一的事情是current_user.has_role?( role, obj=nil)
。 So, the Role Subsystem has zero dependency on ActiveRecord, associations, database, etc. There is a helper ( acts_as_authorization_subject
) which adds an ActiveRecord-dependent has_role?
因此,角色子系统具有零依赖于ActiveRecord的,协会,数据库等有一个帮手( acts_as_authorization_subject
),其中增加一个ActiveRecord依赖has_role?
method to a class, but that's entirely optional and you're free to implement your own has_role?
类的方法,但这完全是可选的,你可以自由地实现自己的has_role?
method (which can also fallback to calling super
to get the acl9 one) and implement your access checks however you please. 方法(也可以回退到调用super
来获取acl9)并执行您的访问检查,但是请您。 So, you said that you do persist your user model, but let's say you want a role for your user to be the admin of a school, but that school is a web service call into some remote system. 所以,你说你坚持你的用户模型,但是我们要说你想为你的用户是一所学校的管理作用,但是,学校是一个Web服务调用到一些远程系统。
## in your model
class User < ActiveRecord::Base
def has_role? role, obj=nil
role == :admin &&
obj == school &&
school[:admin] == id # <-- just making up how we know we're the admin of the remote school
end
end
def school
@school ||= School.get_by_user_id(id)
end
end
## in your controller
class SomeController < ApplicationController
before_action :set_school
access_control do
allow :admin, of: :school
end
private
def set_school
@school = School.get_by_id(params[:school_id])
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.