0
Authorizations systems  and Be9's Acl 9
Authorization vs Authentication <ul>Authentication is verifying who  you are. Authorization is saying what you can do. </ul>
Types of Authorization <ul><li>Clearance based. </li><ul><li>Users have clearance flags and objects have a clearance type.
Naïve – checks flags without knowledge of user relationships
Easier administration </li></ul></ul>
Types of Authorization(Cont) <ul><li>Object based </li><ul><li>Users are related to the object. (Owner of, editor of etc.)
Relationships are recorded by the object.
Highly secure due to permissions being explicity declared.
Requires a large amount of administration. </li></ul></ul>
Types of Authorization(Cont) <ul><li>Role Based </li><ul><li>Roles relate users to actions. Actions may be related to a pa...
Roles allow for meaningful grouping of actions and objects.
Roles map intuitively to types of user, and can often be planned for free in development.  </li><ul><li>“As a <role> I wan...
When should I implement roles? <ul><li>As soon as you think they're going to be in the application.
Implemented early it's easy to add them and will better define your thinking about the application.
Lets you know which parts of the site need polishing up for external users etc. </li></ul>
How should I implement roles? <ul><li>Not with Be9's ACL9
A good portion of the time you just need a few global roles.
Where possible just use a role field in the user model. </li><ul><ul><li>If current_user.role == 'admin'  </li></ul></ul><...
Be9's ACL9 <ul><li>A powerful role management system for rails.
Provides syntax and handlers for relating roles to objects and actions.
Upcoming SlideShare
Loading in...5
×

Wellrailed - Be9's Acl9

1,119

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,119
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Wellrailed - Be9's Acl9"

  1. 1. Authorizations systems and Be9's Acl 9
  2. 2. Authorization vs Authentication <ul>Authentication is verifying who you are. Authorization is saying what you can do. </ul>
  3. 3. Types of Authorization <ul><li>Clearance based. </li><ul><li>Users have clearance flags and objects have a clearance type.
  4. 4. Naïve – checks flags without knowledge of user relationships
  5. 5. Easier administration </li></ul></ul>
  6. 6. Types of Authorization(Cont) <ul><li>Object based </li><ul><li>Users are related to the object. (Owner of, editor of etc.)
  7. 7. Relationships are recorded by the object.
  8. 8. Highly secure due to permissions being explicity declared.
  9. 9. Requires a large amount of administration. </li></ul></ul>
  10. 10. Types of Authorization(Cont) <ul><li>Role Based </li><ul><li>Roles relate users to actions. Actions may be related to a particular object.
  11. 11. Roles allow for meaningful grouping of actions and objects.
  12. 12. Roles map intuitively to types of user, and can often be planned for free in development. </li><ul><li>“As a <role> I want to edit widgets”. </li></ul></ul></ul>
  13. 13. When should I implement roles? <ul><li>As soon as you think they're going to be in the application.
  14. 14. Implemented early it's easy to add them and will better define your thinking about the application.
  15. 15. Lets you know which parts of the site need polishing up for external users etc. </li></ul>
  16. 16. How should I implement roles? <ul><li>Not with Be9's ACL9
  17. 17. A good portion of the time you just need a few global roles.
  18. 18. Where possible just use a role field in the user model. </li><ul><ul><li>If current_user.role == 'admin' </li></ul></ul><li>Use Be9's when you need more control over permissions groups and object relationships. </li></ul>
  19. 19. Be9's ACL9 <ul><li>A powerful role management system for rails.
  20. 20. Provides syntax and handlers for relating roles to objects and actions.
  21. 21. Consistently deal with roles and relations.
  22. 22. Multi-table solution allows system to apply roles to objects or classes quickly. </li></ul>
  23. 23. Getting started. <ul><li>Install as a plugin or gem from http://github.com/be9/acl9
  24. 24. Get some kind of authentication system that includes current_user. </li></ul>
  25. 25. Setup database create_table &quot;roles&quot;, :force => true do |t| t.string &quot;name&quot;, :limit => 40 t.string &quot;authorizable_type&quot;, :limit => 40 t.integer &quot;authorizable_id&quot; t.datetime &quot;created_at&quot; t.datetime &quot;updated_at&quot; end create_table &quot;roles_users&quot;, :id => false, :force => true do |t| t.integer &quot;user_id&quot; t.integer &quot;role_id&quot; t.datetime &quot;created_at&quot; t.datetime &quot;updated_at&quot; End Don't forget indexes.
  26. 26. acts_as_* <ul><li>acts_as_authorization_subject
  27. 27. acts_as_authorization_object </li></ul>
  28. 28. Options <ul><li>:default_role_class_name => 'Role',
  29. 29. :default_subject_class_name => 'User',
  30. 30. :default_subject_method => :current_user,
  31. 31. :protect_global_roles => true </li></ul>
  32. 32. Adding and Removing Roles <ul><li>Add role with user.has_role!(role, object = nil) </li><ul><li>Specify a role and optionally an object or class the user has that role on. </li></ul><li>Remove role with user.has_no_role!(role, object = nil)
  33. 33. Remove roles on an object with </li><ul><ul><li>user.has_no_roles!(object) </li></ul></ul><li>Remove all roles with user.has_no_roles! </li></ul>
  34. 34. Checking if a user has roles. <ul><li>User.has_role?(role, object = nil) </li><ul><li>Checks role and optional object </li></ul><li>User.has_roles_for?(object) </li><ul><li>Checks for any roles on that object </li></ul><li>Most of these methods have an object version such as object.accepts_role(role, subject). </li></ul>
  35. 35. Finding roles. <ul><li>user.role_objects
  36. 36. user.roles_for(object)
  37. 37. user.roles_for(class) </li><ul><li>I use this in conjunction with: </li><ul><li>user.roles_for(class).map(&:authorizable) </li></ul></ul></ul>
  38. 38. Access Control <ul>Authorization occurs from a block in the controller feature allow and deny statements. access_control do <ul>allow :manager deny :peon </ul>end </ul>
  39. 39. Access Control(cont) <ul>Allow :manager, :to => [:index, :create] deny :manager, :except => [:index, :create] </ul>
  40. 40. Access Control(cont) <ul><li>Can also check role relations to variables. </li><ul><li>Set the variable in a before_filter
  41. 41. Allow :manager, :of => @widget, :to => :edit
  42. 42. :of is aliased lots for more gooder english. You can use: :of, :at, :on, :by, :for, :in </li></ul></ul>
  43. 43. Access Control(cont) <ul><li>You can also add :if or :unless to the end of access control statements. </li><ul><li>Allow :manager, :to => :update, :if => :gives_raise
  44. 44. def gives_raise </li><ul><li>params[:salary] > @salary.value </li></ul><li>end
  45. 45. Methods must return true or false. </li></ul></ul>
  46. 46. Access Denied <ul><li>Catch Acl9::AccessDenied errors in the controller with rescue_from.
  47. 47. Often worth catching these conditionally in the controller for specific access problems and then raising to a generic block in the application_controller. </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×