There are a few very good authorization gems, like cancan and declarative_authorization. But here's a problem: authorization rules are seperated in class, but i need to place them in table or maybe some yaml config file to change them in admin panel eventually. Perfectly, if i can either change permissons for user groups and for individual users in admin panel. Are there any solutions?
You can do that with Cancan.
Like explain on this wiki page : http://github.com/ryanb/cancan/wiki/Role-Based-Authorization
You just need define your role in database like you want. After you need check in your Ability model if your user has his role or not. You can change his permission directly from the database.
Related
I have a User table where i store user information and i have a Role table where i store the roles. The associations of the tables is : User can have just one role, and roles can have more than one User.
I have my controller where i have actions like "create, new, update, delete". I want to use authorization for these actions. For example admin can do everything, a simple user can just read etc. Im very new in RoR, can somebody tell me how to permit/restrict access to specific pages/actions based in roles.
Thanks in advance
The CanCanCan gem is designed for this task.
I would also recommend considering the gem Devise for user authentication, rather than rolling your own solution.
I m a new user to the CMS, after extensive search on google and through the github repo of comfy, all i found is this file - http_auth.rb, where i can add name:password pairs, i think this is for basic http auth.
here's from the manual:
After finishing installation you should be able to navigate to http://abcd.com/admin
Default username and password is 'username' and 'password'. You probably want to change it right away. Admin credentials (among other things) can be found and changed in the cms initializer: /config/initializers/comfortable_mexican_sofa.rb
Before creating pages and populating them with content we need to create a Site. Site defines a hostname, content path and it's language.
as i see now, this actually means there can only be one user, the admin? no user support like in wordpress etc?
There's a good extension gem built on Devise called cms-fortress. This is likely the easiest way to add multiple users to a Comfy rails app.
By default you get a new admin route at /cms-admin and login:
username: admin#cmsfortress.com
password: 1234qwer
Other more advanced features like user permissions are also implemented.
Out of the box ComfortableMexicanSofa only supports BasicAuth. So yeah, only one "admin". This CMS doesn't have a user/auth system because it doesn't want to take away freedom of choice from you (see Refinery/Devise).
However, it's very easy to make it work with whatever you want. See: https://github.com/comfy/comfortable-mexican-sofa/wiki/Changing-default-authentication
This way you can use your existing Devise / Sorcery / whatever else auth system.
Also, for many installs Devise is a major overkill. Sometimes one admin user is more than enough.
I'm quite new to rails and I'm trying to setup an authorization system that allows me to control which attributes of a model can be modified by a user.
I use declarative_authorization for a role based authorization. This already provides me quite a lot of functionality: restrict what the user can see in the view depending on his roles, which actions he can perform in the controllers and basically also which actions he is allowed to do on the model.
However, I just can't find an answer on how to restrict the actions on specific attributes of a model depending on the role.
Example:
A user that has a :guest role is allowed to update certain attributes of a user-account: When he tries to log in with a wrong password, I want to update a specific field of a user-account that will make this account inactive. The :guest role should however never be able to change the nickname of this user account.
I therefore use the "using_access_control" method in my user-model, but this either gives "update" privileges on an account for all attributes or no "update" privilege at all depending on the role.
I understand that "strong_parameters" is a gem that would basically make such functionality available but I have no clue on how to fit both "declarative_authorization" and "strong_parameters" together or how to do it simply with "declarative_authorization".
Can somebody point me to the solution?
Many thanks!
Authorization::Maintenance::without_access_control do
# do something
end
I hope this was helpful.
As I work may way through a Rails app, I have another question. The app allows for users to sign up via Devise. That works. Within the app, users are able to create their own groups called Circles. That works. Now I want the user to be able to add other users to their Circle. This doesn't work.
So far I've implemented CanCan and Rolify. I'm able to assign a role to a user from the User model, so I know the setup is working just fine. What I cannot figure out is how a user can add another user to a specific Circle. I've looked over SO and found something close to what I want to do here: Authorization in Rails 3.1 : CanCan, CanTango, declarative_authorization?, but this doesn't work for my situation.
I know how to add a role at the application level with CanCan. What I want to do is add a role at the specific Circle instance. Not all users will have access to a Circle, only those who are added.
I'm open to other ways to accomplish this if anyone has any ideas. What would be the best way to set this up?
EDIT
I figured out how to do this from rails console. user.add_role :moderator, Circle.find(22) This works perfectly and saves to the database. How can I do this same thing through a form in a view?
Use a controller....it will add the role after that you submit the form! In the controller you can just use a class method for example:)
Let me know if I need to be more explicit!
Cheers
A lot of the rails authorization gems in rails is based on the idea of roles. We have a website that does not have "roles" but rather many users. Each user needs access to changed/update information on a single page rather than on lots of pages in a role of author. The page that they are editing is public accessible (view) but only editable by that user or the admin. No other user can edit that page.
Creating a role per user for this is silly.
Are there any rails gems already available that will allow this sort of mapping to users that do not have a particular grouping in a role?
Am I looking at the problem incorrectly?
Thanks.
You can use CanCan, and limit the queries / actions per user. Check it here https://github.com/ryanb/cancan . And there's an example of how to do this in Railscast 192.
I have the idea that I've seen an example in which CanCan added a mixin active record to provide some out of the box authorization, but I can't find an example of that. It the code looked like (it the app would be a blog with comments) Comment.authorize.find(1) and that command validated that the user had created the comment.
Role based permission systems are old hat,
Mysql changed from a roles based system to
a permissions based system a long time ago.
I have a plugin that is very similar to cancan
but it differs in a few small ways.Fat Model Auth