Say I have a the models:
File
FileGroups
User
UserGroups
I'd like to be able to manage the user's permissions to file's based on whether or not they are in a certain group. Now these permissions aren't set in stone and can be altered by an administrator through the UI.
Are there any rails specific gems that can help out with this? I believe declarative auth isn't something that would suit my needs as it is explicitly defined in the code.
Any insight would help. Anything to save me from coding a permissions system myself.
Thank you kindly.
I used:
1) cancan - https://github.com/ryanb/cancan
and
2) acl9 - https://github.com/be9/acl9
Related
Currently I'm working on system, that uses ZendFramework2 Acl implementation for managing user roles and permissions for various parts of it. Till this moment it works as is supposed to do - giving or rejecting users based on their role. Recently we got a new feature request - implement functionality that allows permission management per user, regardless the role he or she has. Here comes the tricky part - Zend implementation of Acl doesn't met the requirements out of the box (if it supposed to do so at al). Just to note - system is already tightly integrated with the current model, so it will be pain of heart to use another kind permission management model.
So far the best solution I could think of was to represent individual users as roles in Acl and grant them appropriate privileges, so it is possible to dynamically create or delete resources and privileges for users, without impacting overall role permissions (which still apply).
Could I get some suggestions please? Is this the "right way" or there better approach to the problem? Thanks in advance :)
If an user by the fact to be himself has some privilegies, then you have to create a new role for that user.
I have just developed an ACL module that allows you to manage access to each route only creating a new key in each route called 'roles'. You do not have to configure the ACL creating allow rules manually, this module creates the rules automatically for you reading the routes.
You can have a look: https://github.com/itrascastro/TrascastroACL
Is there a framework or common pattern for implementing dynamic permissions?
Something like Rolify but where I wouldn't have to restart the server.
I guess I could just iterate through each User that has a role and add/remove permissions but that seems like overwork.
This reminds me a lot of this question.
Your question is very difficult to understand because all the role-based access control gems like rolify allow the implementation of dynamic permissions.
So, I'm left wondering if, like the other question that I linked to above, perhaps you've misunderstood the way to use these role-based systems.
The idea is that you grant access/permissions to roles (not individual users) and then you assign users to as many different roles as they need in order to have the access/permissions that they need. Obviously, you can assign users to roles dynamically, that's what these libraries provide.
A lot of the rails authorization gems in rails is based on the idea of roles. We have a website that does not have "roles" but rather many users. Each user needs access to changed/update information on a single page rather than on lots of pages in a role of author. The page that they are editing is public accessible (view) but only editable by that user or the admin. No other user can edit that page.
Creating a role per user for this is silly.
Are there any rails gems already available that will allow this sort of mapping to users that do not have a particular grouping in a role?
Am I looking at the problem incorrectly?
Thanks.
You can use CanCan, and limit the queries / actions per user. Check it here https://github.com/ryanb/cancan . And there's an example of how to do this in Railscast 192.
I have the idea that I've seen an example in which CanCan added a mixin active record to provide some out of the box authorization, but I can't find an example of that. It the code looked like (it the app would be a blog with comments) Comment.authorize.find(1) and that command validated that the user had created the comment.
Role based permission systems are old hat,
Mysql changed from a roles based system to
a permissions based system a long time ago.
I have a plugin that is very similar to cancan
but it differs in a few small ways.Fat Model Auth
There are a few very good authorization gems, like cancan and declarative_authorization. But here's a problem: authorization rules are seperated in class, but i need to place them in table or maybe some yaml config file to change them in admin panel eventually. Perfectly, if i can either change permissons for user groups and for individual users in admin panel. Are there any solutions?
You can do that with Cancan.
Like explain on this wiki page : http://github.com/ryanb/cancan/wiki/Role-Based-Authorization
You just need define your role in database like you want. After you need check in your Ability model if your user has his role or not. You can change his permission directly from the database.
I need to add role based permissions to my Rails application, and am wondering what the best plugins out there are to look into. I am currently using the RESTful authentication plugin to handle user authentication. Why is the plug in you suggest better than the other ones out there?
Ive got to recommended easy_roles. Its super light weight, and doesn't require extra tables etc etc.
http://github.com/platform45/easy_roles
http://gemcutter.org/gems/easy_roles
But role authentication is definitely site dependent. Different role authorization plugins suit different sites.
If you dont feel easy_roles suits your needs, check out:
http://ruby-toolbox.com/categories/rails_authorization.html
I use, and really like, role_requirement:
http://code.google.com/p/rolerequirement/
We've put role_requirement into Bort too, as it's probably the best solution out there at the moment.
I'm a very satisfied user of ACL
http://agilewebdevelopment.com/plugins/acl_system
do try it!
I recommend Rails Authorization which will work with Restful Authentication quite nicely.