I've got devise working, but I see CanCan frequently mentioned in tutorials alongside Devise; is it meant to be complementary or is CanCan an alternative to Devise?
CanCan covers authorization - who is allowed to do what. Devise handles authentication - Are you truly you? That's how they complement each other. You can use one without the other.
See for example http://techoctave.com/c7/posts/34-authentication-vs-authorization.
Devise handles authentication (logging in and out, handling sessions, etc..) but it does not handle authorization (allowing access to views or actions).
If you have a non-trivial application, then you will need authorization and probably roles.
CanCan is a very simple authorization Gem, which can work nicely if you have very few roles, and very simple authorization rules. http://railscasts.com/episodes/192-authorization-with-cancan
If you have a lot of roles, or more complex authorization rules, then I would recommend declarative_authorization http://railscasts.com/episodes/188-declarative-authorization
Both work very well with Devise, and either Rails 2 or Rails 3.
For implementing roles you have two choices: having a roles table and a join table between roles and users in your database; or using the role_model plugin http://railscasts.com/episodes/189-embedded-association
You'll also have the choice if a user can only have one role, or many roles.
hope this helps
Related
I'd like to implement a third-party Ruby on Rails authentication system that is actively developed and carries sensible defaults.
I've narrowed down my selection to AuthLogic and Clearance (thoughtbot) -- can anyone sway me in either direction? In terms of requirements, both would work for my project from what I can tell. It looks like documentation/code samples in both are fairly similar, and both are relatively easy to setup.
Anyone have a preference? I really like AuthLogic's OpenID plugin -- don't know if Clearance can do that.
Devise for sure :)
https://github.com/plataformatec/devise
I have used the restful_authentication gem, authLogic and Devise and I like devise 'cos it's model based (higher up the stack is better and easier to rspec) and also lets you just put in an admin flag in the user table for admins and go with that (or use roles for more complex stuff).
Another gem that has become common with devise is cancan for roles, e.g. admin, reader, manager, etc (whatever you want) with syntax like below (from the cancan gem).
<% if can? :update, #article %>
<%= link_to "Edit", edit_article_path(#article) %>
<% end %>
Did you already rule out Devise for some reason?
If not, it's the most current and complete authentication framework for Rails. As for openID authentication, take a look at OmniAuth, which integrates seamlessly with devise.
Questions about authorization are often poorly formulated because we are all interested in different aspects.
In my case, we have a well developed application (Wagn, see http://wagn.org), and it has a home grown authentication functions built in already. What we are doing is making the application independent of the authentication system, so I am most interested in two dimensions:
1) What is the API for the provider interface and how easy is it to add to my app.
I've just done a lot of work to route all of it through a set of class or module methods that the application uses, and a model for the home grown AR class (a User class and users table) that. This leads to the next part:
2) What authorization providers are available and what do I have to do to load them with my application (typically I would expect these to be in one or more Rack middlewares).
I don't need Devise, it does too much, I want an interface to external auth providers. My app may provide forms that will post parameters to the auth services, but it won't be using their Rails views or controller.
I suspect this situation is common for a certain class of developers.
Hello i need following function. Admin needs to be able "logged" as user. View all pages as user, but still have an admin features. I more than sure that there is exist ready-made solutions for this. If not, please give me advice how to build this and avoid issue when user logged in and admin logged in as this user.
You're talking about authentication and authorization. For authentication the most popular option right now is Devise. For authorization a popular option is CanCan (by Ryan Bates of railscasts fame). These two gems work well together and there's a lot of information out there on how to use them. (see below)
As for your question about an admin logging in as a user, here's a wiki for Devise on how to do that.
Screencast on using Devise
Screencast on using CanCan
I have models A,B,C,D, etc. I have my usual controllers/views/helpers for each of these models. These are accessed by a set of content authors in a form based application to populate data into the db. The content authors will also have categories like authors, publishers, super admins etc. Essentially we have built out a mini content management system.
A set of other users (unrelated to the above set) need to access data in some of these models. But the view for those are totally different. I also do not want these users to have the edit screens for the models they are allowed to view. Essentially these guys are end users who use the application as a read only/analytics data store.
How do I accomplish this? Should I create separate controllers and invoke these models for the user website? How do I ensure the website users do not have access to the cms screens? Any pointers, design principles, routing methods, gems for such an application?
How do I accomplish this? Should I create separate controllers and invoke these models for the user website?
I would create a different set of controllers for the backend and frontend. I would move the backend controller to a namespace. More Information on namespaces: http://guides.rubyonrails.org/routing.html#controller-namespaces-and-routing
How do I ensure the website users do not have access to the cms screens? Any pointers, design principles, routing methods, gems for such an application?
For this you need some kind of authentication and authorization. Some examples:
authentication:
authlogic
devise
authorization:
cancan
declarative_authorization
aegis
acl9
There are some good screencasts on this matter:
Authlogic
Declarative Authorization
Authorization with CanCan
Introducing Devise
Customizing Devise
You need a layer of authentication.
The easiest way, and I'd say the most common one is to make separate controllers for each section, and add a before_filter method in each section authenticating and authorizing user to continue (usually a is_admin? method on the user model), or redirect back with an error message if the user is not allowed.
You can separate your controllers with namespaces (something like /admin/authors, /admin/books/1/edit and so on), and keep them RESTful this way.
If you need a more complex schema, you can use any of the authorization tools out there http://ruby-toolbox.com/categories/rails_authorization.html
I am using Authlogic for my user authentication, and would like yo add roles to my users - Need security check from model's and controller's
current_user.has_role?('admin') etc
There is a lot of role based plugins out there, but I not sure which when to use with Authlogic. Does anyone what works best with Authlogic? (if any..)
Best regards.
Asbjørn Morell.
Check out the acl9 plugin. It's a really powerful solution and the author himself suggests Authlogic as underlying Authentication system.
Acl9 is a authorization solution, so
you will need to implement
authentication by other means. I
recommend Authlogic for that purpose,
as it’s simple, clean and at the same
time very configurable.
I am building a project management app and I am not sure which is the best/correct authorization model to implement given I am new to Rails (and programming in general). Here is what I am trying to do.
I want to be able to add a "client" to the application and then multiple projects to a client. I would like to be able to add users (that are essentially representatives of the client) to view that clients multiple projects but not other clients. I intend on having controllers for time tracking, notes, comments and images all to be associated with both clients and project of that client.
In addition, I would like to set up the account to control who is able to have one. I don't need the user to establish an account on their own.
Does that make sense?
I believe what you are mentioning is called Authorization not Authentication, anyway:
I would suggest acl9 for authorization and authlogic for authentication.
These (free) Railscasts should give you some food for thought. There are lots of great RubyGems/plugins out there for this sort of thing.
The Ruby Toolbox gives you an overview of tools and their popularity in the rails community (rated by watchers and forkers on GitHub). As you can see there, the suggested plugins restful_authentication and authlogic are almost on the same level.
Restful Authentication is still the golden standard for user authentication in ruby on rails.
I have used Authorization plug-in in the past and like it because it gives some nice meta methods such as:
user.is_eligible_for_what --> returns array of authorizable objects for which user has role "eligible"
user.is_moderator_of? group --> returns true/false
user.is_moderator_of group --> sets user to have role "moderator" for object group.
user.is_administrator --> sets user to have role "administrator" not really tied to any object.
There's also a brand new RailsCast on CanCan.
I'd use AuthLogic for authentication (logging in users and making sure they are who they claim to be) and declarative_authorization for authorization (making sure they have access to resources). See Ryan Bates' excellent Railscasts on AuthLogic and restful_authentication for more info.