I have a Rails app that I need to put access control on. (Some pages can be accessed by everyone, some pages can only be accessed by certain LDAP groups of people, etc.) What's the best way to handle this access control?
One way is to have a before_filter in all of my controllers that checks, for each action, whether the user belongs to an LDAP group authorized for that action. (But this seems possibly messy.) Is there a better way?
You should do this kind of thing with a authorization mechanism.
CanCan is really popular, and also quite simple: https://github.com/ryanb/cancan
You can find other gems for handling authorization here: https://www.ruby-toolbox.com/categories/rails_authorization
I highly recommend reading this book if you're new to Ruby On Rails. The section that talks about exactly what you need is here.
As far as I know, the before filter works perfectly, and isn't messy because it's handled in the controller for the page.
Related
I'm learning Rails 4 and I'm looking to build in some basic admin functionality such as creating and viewing users. I can think of a few ways to do it manually, (such as creating a new controller or adding filters) but I'm pretty sure there's a "Rails Way" to do this easily. I've been digging through the docs and I see references to "built in authentication" that support my hunch, but I can't find the actual documentation.
For example, in CakePHP you can just prefix actions with admin_ and /admin/controller/action will work automatically. Is there a similar convention for Rails? If so, where can I find it?
Update:
As I continue to research this, I start to get the impression that admin authorization in Rails is commonly not handled by the Rails core, but rather in a gem like cancan. Perhaps this is why I was striking out by searching the Rails docs.
Update2:
This question wasn't intended to be a round-up of authorization gems, but since it appears gems are the typical way to handle even basic admin authorization, I'd like to find the simplest, most basic (and hopefully universal) option. A couple options have been proposed below which come bundled with default dashboard views and elaborate configurations. I don't need all that. Just a simple, reliable strategy for dividing users into admins and non-admins with different scopes of allowed actions.
Check out the awesome rails_admin gem. It automatically generates just about everything you could need. Very handy and awesome project. https://github.com/sferik/rails_admin
Authentication is handled via the devise gem and authorization via cancan.
It's no replacement for custom admin functionality if you have very specific requirements, but it's great for general admin tasks you described.
I am writing a site with multiple levels of privileges. There are basically 3 kinds of users in my system. They are Admin, Business, and Consumers (normal users). Let's just say that I am building an advertising site.
So I have a model "Campaign" which has a RESTful API that comes with rails scaffold. Businesses can create campaigns, users can only see which campaigns they want to join, and admins can do everything.
Now, I know how to apply before_filter and check rigorously for the type of users that can access a particular view.
However, each level of privilege has its own unique views.
Businesses can see the insights and analytics of their campaigns. (let's call this campaigns/analytics)
Consumers can see all the campaigns that they have participated in. (let's call this campaigns/your)
And admins have special views where they can monitor the site's activity. (let's call this campaigns/monitor_businesses).
Right now, my CampaignController has the usual RESTful views + analytics + your + monitor_businesses. Of course, I have multiple data models (not just campaigns) and this makes my RESTful controllers for those data models to be really messy.
What should I do? I am seriously considering starting a ConsumerController and then a BusinessController and put all associated views in these controllers. I don't know if this violates "RESTful" principles but I want to know what better patterns exists to deal with my problem.
I am open to all kinds of suggestions.
Why dont you try the CanCan gem for role management?
You can install as you would any gem using bundler.
It is easy to set up and keeps you from creating the same boilerplate code that you normally would by creating extra controllers or actions.
To get you started I suggest that you visit the documentation on the main page. There is more information about defining what a user can do here and you can see how to check for abilities here.
You also need to add one line to controllers you want to enforce permissions on which you can read about here.
If the standard documentation isnt enough to get you started why don't you take a look at Railscast 192. It shows you how to get up and running with CanCan and it is a great source because Ryan Bates is the creator of the screencast as well as the creator of CanCan. If the video moves too fast for you there is a text version here.
y dont you try the cancan gem for role management http://rubygems.org/gems/cancan
or do gem install cancan I hope this helps.
I know there are role based authorization gems/plugins for rails to determine if a user can do things based on which role their in. However, is there a best-practice approach to hiding actions from users based on ownership? ie: the show/edit/destroy methods for a user should only be available if they're being performed on the currently logged in user id. Hopefully that makes sense, but I've written some methods to protect against non-owners accessing methods and its become a bit bloated and ugly.
Look at cancan's implementation.
I can recommend on restful_authentication( https://github.com/technoweenie/restful-authentication ). quick tutorial http://railscasts.com/episodes/67-restful-authentication
I'm slowly but surely putting together my first rails app (first web-app of any kind in fact - I'm not really a programmer) and it's time to set up a user registration/login system. The nature of my app is such that each user will be completely separated from each other user (except for admin roles). When users log in they will have their own unique index page looking at only their data which they and no-one else can ever see or edit. However, I may later want to add a role for a user to be able to view and edit several other user's data (e.g. a group of users may want to allow their secretary to access and edit their data but their secretary would not need any data of their own).
My plan is to use authlogic to create the login system and declarative authorization to control permissions but before I embark on this fairly major and crucial task I thought I would canvas a few opinions as to whether this combo was appropriate for the tasks I envisage or whether there would be a better/simpler/faster/cheaper/awesomer option.
What about cancan by Ryan Bates?
Here you can get a complete visual guided implementation
Take a look at this, it might help:
Basic Rails 3 engine utilizing Authlogic, CanCan and Easy Roles
What about Devise? Take a look at the railscasts.com site.
I'm looking for a quality Administrative plugin for Rails. It seems that most of the existing plugins/gems (e.g. "restful_authentication", "acts_as_authenticated") revolve around self-signup, etc. However, I'm looking for a full-featured Administrative/Management role-based type of solution -- but not one that's simply tacked on to another non-role-based solution.
If I can't find one, I suppose I'll roll my own...just wasn't looking to re-invent the wheel.
Ryan Bates has recently made two railscasts on authorization (note the difference between authentication and authorization; authentication checks if a user is who she says she is, authorization checks if the user has access to a resource). Episode #188 is on declarative_authorization, which is a really powerful authorization plugin. Episode #192 (sorry, I don't have enough reputation to link to it) is about Ryan Bates' own CanCan plugin, which is a much simpler plugin, but it would still work for most apps.
There are a few out there. I have used:
http://github.com/DocSavage/rails-authorization-plugin/ for applications before in conjunction with restufl_authentication, but I believe it will work with any authentication that gives you a current_user method. On github there is also http://github.com/mdarby/restful_acl/ and http://github.com/danryan/role_model/, they are just role based stuff though I'd say not authentication as well.
The authentication and the access control role based stuff are all available as seperate plugins/gems to the best of my knowledge, and that's a good thing as they are different beasts. Not all apps that have authentication need to have ACL type stuff and even some that do only need a really simple am I an admin kind of thing rather than a full blown user roles thing. So I'd say if you want one that does it all you'll have to write, if you don't want to do that than I'd say a combination of either Authlogic or restful_authentication with on of the authorization plugins will do the trick quite nicely.
You might check out the links in "Which Rails plug in is best for role based permission?".
None of the solutions listed there seem very appealing to me. The top contender, role_requirement apparently requires restful_authentication, but I find AuthLogic much better designed and less intrusive. The others listed seem to not be very actively maintained.