RESTful Acl plugin

Plugin details

A Ruby on Rails plugin that provides fine grained access control to RESTful resources in a Ruby on Rails 2.0+ project.
RESTful_Acl is a simple Access Control Layer for Ruby on Rails. It restricts access on a fine-grained level to any RESTful MVC stack. While the ACL structure and engine are provided by this plugin, the implementation is fully up to the user. Every application is different and everyone likes to setup their User / Account / Role resources differently; this plugin will allow you to do your thing and keep that thing locked down.

Repositoryhttp://restful-acl.googlecode.com/svn/tags/restful_acl/ Author Matt Darby Tags ACL LicenseMIT

Documentation

Install the plugin: 
ruby script/plugin install http://restful-acl.googlecode.com/svn/tags/restful_acl/

How to Use
======================
1. Enter the below line into any controller that you'd like to restrict access to (or application.rb for your entire app) 

before_filter :has_permission?



2. Define the following four methods in the model of every resource you'd like to restrict access to: 

  def is_updatable_by(user)

  end

  def is_deletable_by(user)

  end

  def self.is_readable_by(user, object = nil)

  end

  def self.is_creatable_by(user)

  end



3. These methods can contain anything you'd like so long as they return a boolean true or false. This allows you to define your User's roles any way you'd like. I normally use something along the lines of: 

  def is_updatable_by(user)
    user.is_admin?
  end

  def is_deletable_by(user)
    user.is_admin?
  end

  def self.is_readable_by(user, object = nil)
    user.is_admin or user.eql?(object.author)
  end

  def self.is_creatable_by(user)
    user.is_admin?
  end



4. If you want to make an action public in an otherwise protected controller, you can do: 

before_filter :has_permission?, :except => :some_public_action



5. Want to be super cool and protect your entire application in one fell swoop? Put the code from #1 into your application.rb file. Any action in a controller can be made public by: 

skip_before_filter :has_permission?, :only => :some_public_action



6. RESTful_ACL requires two named routes: "error" and "denied". You can create these routes by adding the following to your routes.rb file (note that you will have to restart your app before these are live): 

map.error '/error', :controller => 'some_controller', :action => 'error_action'
map.denied '/denied', :controller => 'some_controller', :action => 'denied_action'



7. Now you can also do nifty things like checking permissions in your views: 

<%= link_to 'Edit User', edit_user_url(@user) if @user.is_editable_by(current_user) %>




How to Test
======================
I normally do something along these lines in RSpec: 

  before(:each) do
    @time_card = TimeCard.new

    @author = mock_model(User)
    @time_card.stub!(:author).and_return(@author)

    @admin = mock_model(Admin)
    @user = mock_model(User)
  end

  it "should be modifiable by an Admin or the author" do
    @time_card.is_updatable_by(@admin).should be_true
    @time_card.is_updatable_by(@author).should be_true
    @time_card.is_updatable_by(@user).should be_false
  end
  
  it "should be deletable by an Admin or the author" do
    @time_card.is_deletable_by(@admin).should be_true
    @time_card.is_deletable_by(@author).should be_true
    @time_card.is_deletable_by(@user).should be_false
  end
  
  it "should be readable by the Admin of the author" do
    TimeCard.is_readable_by(@admin, @time_card).should be_true
    TimeCard.is_readable_by(@author, @time_card).should be_true
    TimeCard.is_readable_by(@user, @time_card).should be_false
  end
  
  it "should be creatable by everyone" do
    TimeCard.is_creatable_by(@admin).should be_true
    TimeCard.is_creatable_by(@user).should be_true
  end

Further Documentation

New documentation

Edit plugin | (0 older versions) | Last edited by: scott, 2 months ago