We are evaluating plugins for Authorization in Rails. The two at the top of our list are
cancan and declarative_authorization.
I would like to get some feedback from anyone currently using either of these plugins.
The problem we are going to face with any authorization plugin is that we have a
database per customer model and will need to modify the plugin to work within that
model. Because of this fact I'm interested in hearing from anyone who has had to tweak the
plugins at all as well.
I'm just starting to look around at the code. It seems like cancan might be a little easier to customize.
Any thoughts?
Cancan is a lighter weight plugin for smaller sites. You can see a video on railscasts.
http://railscasts.com/episodes/192-authorization-with-cancan
I've used declarative_authorization with authlogic/restful_auth for several projects. It has everything you would need. 1) Model security. 2) Controller security 3) methods available to the view to check auth.
The only frustrating thing I've run into with declarative_authorization is me not reading the rdocs.
http://railscasts.com/episodes/188-declarative-authorization
Authority
I'd suggest you also check out my new gem, Authority. Because you do the actual logic in plain Ruby classes and methods, you can check any data source you need to: different databases, static files, phases of the moon via a web request, you name it. :)
I ended up using declarative_authorization. Now it seems that auth_logic is where the community is headed.
declarative_auth would have been really simple if it wasn't for our apps multi-tennant db
model. I had to modify the source a bit to make it all work, but it wasn't too tough to do, and
I was pretty green when I started this project.
It seems like you really can't go wrong with any of the solutions. cancan seemed cool too
but it would have needed more mods for what I was doing so I decided against it.
Its written by Ryan Bates though which is cool. Love rails casts! :)
I know this post is old but I figured I'll update any because you never know.
Related
This question aims to understand RoR and frameworks in general. It looks like RoR never had any standard user authentication system. Was it just historical reason (just happened naturally as it did)... or could it be intentional? Because RoR is a website building tool, more often than not, user authentication is a crucial part of a website.
To put it into perspective, another question is, do other popular frameworks, Django, Symfony, CakePHP, have user authentication built in?
There is no reasonably generic way to do user authentication. Most frameworks leave it up to you to choose the plugin that most closely matches what you're trying to accomplish.
For example, consider these two situations:
a blog which has a single administrator with password-protected admin-facing tools
a site like YouTube which allows users to sign up and administer their own content
Both of these sites would require vastly different authentication systems; which of these systems should Rails cater to out-of-the-box?
The Rails core team wanted to ensure that Rails was open-ended enough to make anything you want. There is no one-size-fits-all authentication scheme, so the core team decided to leave it out. Rails is easily extendable via gems and plugins, so that is where they belong.
Some examples are Warden and the Rails Warden plugin, Devise, Authlogic, and Restful Authentication.
CakePHP has a built in Authentication component that is pretty straight forward and easy to implement.
Most of these frameworks you mentioned are toolkits, not complete products. You build these things yourself, or leverage plugins from the community. Django's admin plugin/module has authentication out of the box though. Drupal does too, as a matter of fact.
Authentication can be(and is in my opinion) a matter of taste and need. If Rails was including things like that, it would start to become a website and not a framework. The programmer has to be free to choose among various implementations. That is why gems are available.
I've been programming a little in Rails and CakePHP, and I can say that Rails doesn't need to provide a mechanism like this. The community is very very good, and there are many examples (already said, like Devise, Authlogic...) made by very good programmers. Of course, there are many tutorials online (and also, railscasts, which are simply awesome) to program a succesful set-up for your project. So, if we have all of this, why should we need something like cakePHP mechanism? It's OK, it works, but there's just a very good tutorial and that's all( and maybe enough..). So, in the end, if u have a nice community you shouldn't care about the core of the technology, there will be always someone else more experienced with your needs that will do it for you. And if you don't find it, do it by yourself and in the proccess you will find a lot of help! :)
Does anyone know of a good guide on building your own authentication system in ruby on rails?
I want to roll my own system to use with my community im building :)
Thanks!
I'd recommend starting with Warden - it'll handle the very basics of sessions for you, and give you a good foundation to build your logic on top of. The Rails Warden plugin is a rather small library that helps integrate it into Rails. Both of these projects are fairly mature and well-constructed yet still under active development - they're good choices all around.
You should be aware of Devise, another authentication framework (like Authlogic or Restful Authentication) that is based on Warden. It may not be a good fit for your project (it wasn't for mine), but looking through the source might give you a few ideas on how best to use Warden.
The other thing I'll note is that, in terms of hashing passwords, you should absolutely use bcrypt.
michael hartl has a good book coming out soon and the first 8 chapters are available in pdf format for free here: http://www.railstutorial.org/ - they cover the entire process of creating a very solid rspec-driven authentication system - can't recommend it highly enough
Well, it came out a while after you asked your question but the best answer if you're keen to build your own authentication system rather than use something like Devise would probably have to be Ryan Bates' Authentication from Scratch Screencast.
Since authentication is a common problem that has been solved many times already, I would start by investigating the solutions already out there.
For example, have a look at Restful Authentication which provides a good foundation for authentication in Rails. Even if you'd rather roll your own system, playing around with Restful Authentication and understanding how it works should give you a good understanding of the components needed when you start building your own system.
Check out this article:
http://www.aidanf.net/rails_user_authentication_tutorial
The author goes, step by step, through an entire authentication framework, with suggestions on further improvements. Even tests are discussed.
I agree with Ritchie... Devise has some very nice features but it doesn't play nice with others. For many use-cases, the way it hijacks the routing can make your job more difficult. In many situations you may be better off rolling your own.
Devise has caused circular references in my Rails asset pipeline, and the settings in the initializer as installed (in the latest version as of yesterday) conflicted with the defaults in the migration it generated.
I have built enterprise-level authentication systems, including email verification, password recovery, etc. And none of it required the routing shenanigans that Devise uses. If you really need all the features, it may be for you. But there are lots of reasons to not use it, too.
what do you recommend?
Authlogic or restful_authentication?
Is it hard, to build the email-activation-step into authlogic
(as far as I know, Authlogic hasn't this feature included).
Actually I'd disagree with fig-gnuton. There are a couple of things that you could do. If you want a basic solution try restful auth but be aware that the generator based approach has significant shortcomings. The main shortcoming is that you are squirting a large gob of code into your application. So when there's an issue you have to patch the code manually or blow away any customisations you've made. Recent versions of restful auth are much better than earlier versions which spewed code left, right and centre but my advice would be where possible leave the user and session code generated by restful auth well alone. For example if you want properties on your User make another object like Person and link the two.
I prefer authlogic because:
It feels like you're more in control.
I appreciate the extent to which authlogic is documented and their example app is pretty useful as a guide too.
Also I've had bother with testing restful_auth apps, not so with authlogic.
Extensions like forgotten password resets, API keys and the like are much less custom code than restful_auth.
And don't forget Clearance, the other kid in the block.
Restful Authentication is crap. It's the kind of thing that gives Rails generators a bad name.
What do I mean by that? The generators that come with Rails are (IMHO) good. They generate a very minimalistic skeletal structure. What they generate is small, easily understood, and easy added to/replaced by your own code as you go. All the complex gnarly pieces are in the Rails libraries, where they belong, not in the generated code.
Restful Authentication, on the other hand, comes with generators that spew out massive amounts of generated code that's hard to work with and hard to maintain. Functionality that should be in a nice library where it can be easily upgrade with each new version of the framework is instead spewed out in generated model and controller code where it'll end up intermixed with your code. It's not scaffolding, it's a mass one way dump of autogenerated code.
Stay away... stay far away....
You're better off with authlogic.
take a look at my reasoning here
http://blog.platform45.com/2009/09/30/user-authentication-with-authlogic
Restful_Auth is a drop-in solution.
Authlogic is great and can do anything restful_auth can do (and more, afaik), but Authlogic is geared to customization, it therefore lacks the generator aspect (by design rather than oversight).
Bottom line, if you're a newbie (sounds like you might be), I'd start with restful_auth.
I'm looking for a quality Administrative plugin for Rails. It seems that most of the existing plugins/gems (e.g. "restful_authentication", "acts_as_authenticated") revolve around self-signup, etc. However, I'm looking for a full-featured Administrative/Management role-based type of solution -- but not one that's simply tacked on to another non-role-based solution.
If I can't find one, I suppose I'll roll my own...just wasn't looking to re-invent the wheel.
Ryan Bates has recently made two railscasts on authorization (note the difference between authentication and authorization; authentication checks if a user is who she says she is, authorization checks if the user has access to a resource). Episode #188 is on declarative_authorization, which is a really powerful authorization plugin. Episode #192 (sorry, I don't have enough reputation to link to it) is about Ryan Bates' own CanCan plugin, which is a much simpler plugin, but it would still work for most apps.
There are a few out there. I have used:
http://github.com/DocSavage/rails-authorization-plugin/ for applications before in conjunction with restufl_authentication, but I believe it will work with any authentication that gives you a current_user method. On github there is also http://github.com/mdarby/restful_acl/ and http://github.com/danryan/role_model/, they are just role based stuff though I'd say not authentication as well.
The authentication and the access control role based stuff are all available as seperate plugins/gems to the best of my knowledge, and that's a good thing as they are different beasts. Not all apps that have authentication need to have ACL type stuff and even some that do only need a really simple am I an admin kind of thing rather than a full blown user roles thing. So I'd say if you want one that does it all you'll have to write, if you don't want to do that than I'd say a combination of either Authlogic or restful_authentication with on of the authorization plugins will do the trick quite nicely.
You might check out the links in "Which Rails plug in is best for role based permission?".
None of the solutions listed there seem very appealing to me. The top contender, role_requirement apparently requires restful_authentication, but I find AuthLogic much better designed and less intrusive. The others listed seem to not be very actively maintained.
Anyone have a list of rails plugins that are both stable and give you enough functionality to be worth the extra effort of supporting?
Edit:
I am mostly interested in the best, most complete list of plugins so I can use it the next I'm starting a rails app. I don't currently need a particular plugin.
You can use bort as reference
Plugins Installed
Bort comes with a few commonly used
plugins installed and already setup.
RESTful Authentication
RESTful Authentication is already
setup. The routes are setup, along
with the mailers and observers.
Forgotten password comes setup, so you
don’t have to mess around setting it
up with every project.
The AASM plugin comes pre-installed.
RESTful Authentication is also setup
to use user activation.
User Roles
Bort now comes with Role Requirement
by Tim Harper. A default admin role is
predefined along with a default admin
user. See the migrations for the admin
login details.
Open ID Authentication
Bort, as of 0.3, has Open ID
integrated with RESTful
Authentication. Rejoice!
Will Paginate
We use will_paginate in pretty much
every project we use, so Bort comes
with it pre-installed.
Rspec & Rspec-rails
You should be testing your code, so
Bort comes with Rspec and Rspec-rails
already installed so you’re ready to
roll.
Exception Notifier
You don’t want your applications to
crash and burn so Exception Notifier
is already installed to let you know
when everything goes to shit.
Asset Packager
Packages up your css/javascript so
you’re not sending 143 files down to
the user at the same time. Reduces
load times and saves you bandwidth.
p/s: agree with #eric, specifics
restful_authentication for sign in, sign out, sign up.
paperclip for file uploads.
rspec and shoulda for testing.
Could you be more specific in what you are looking for? There are so many great plugins for so many different tasks, it's hard to guess the right ones for you.
Try resource_controller. http://jamesgolick.com/2007/10/19/introducing-resource_controller-focus-on-what-makes-your-controller-special
It seriously dries up your RESTful controllers. And is the only plausible way of implementing polymorphic actions that I've come across.
Loads of other good stuff too. Give it a try.
I can imagine why you are asking that. I used to work in a project with more than 20 plugins in use. Sure, it speeded up the development early on, but later debugging became difficult. Also, updating to a new version of Rails was a lengthy process.
My advice is that don't start using a plugin before have a reasonable understanding of how it works and of the trade-offs involved. For small plugins you should probably read the source code. For larger ones, see what other people are saying about them, when the plugin was updated the last time, etc.
For scanning popular plugins, see the most popular github projects. Quite a few of them are Rails plugins.
For me, Haml is excellent. It's not for everyone but if it clicks with you you'll love it. Set aside 30 min and give it a shot. It reduces the clutter in my views by about 50%.
It's easy to install using Rails 2.1+'s gem dependencies :
# environment.rb
config.gem 'haml'
Then:
rake gems:install
Ruby Trends is a good place to check what the most popular plugins/gems/books/practices are. It's like StackOverflow (i.e., voting plugins up/down) but is more fine-grained and has the ability to search/filter.
I my rails time I used http://github.com/mbleigh/acts-as-taggable-on/tree/master with success.