tags:

views:

259

answers:

1
+2  Q: 

When and where to implement ACL.

I've got rails_authorization_plugin up and running with models.

What's the best way to implement permission checks on my site?

I have complicated conditions for when an instance of an object should be visible, is there an efficient way to chain them together so I'm not fetching multiple sets of data and grinding my DB as a result of looping over returned data to filter it?

+1  A: 

There is an efficient way: make sure you only run one query, and that the query you run returns exactly the objects you want. Easier said than done, of course.

One way to handle this is to construct your conditions using scopes. 

@posts = @thread.posts.not_deleted.this_week.not_secret

If all those methods are scopes, that will be only one query.

If your conditions are too complex to easily make them scopes, you should probably just write a method to return the visible objects for the user.

class User
def posts_for(thread)
  if is_admin?
    thread.posts
  elsif thread.owner == self
    thread.posts.not_deleted
  else
    Post.find(:all, :conditions => something_complicated(thread, self))
  end
end
end

My application has a lot of kinds of objects, and very complicated permissions, so we capture calls like that with method_missing, and route them to a permission library that knows how to make all the various queries.

Michael Sofaer  2009-07-08 20:38:34
Well, I'm using the rails acl plugin which is pretty concise, but I don't think I can use it in chains, can I?Are there any ACL plugins that behave almost like an extension of activerecord?The documentation for rails acl gives a lot to get started, but actually implementing security checks leaves me with a lot of guesswork.Thanks for your help, really good advice here already!
Omega  2009-07-09 17:01:42
I'm not sure which library you are using, maybe link it? I don't really know the field of permissions libraries. I rolled my own permissions library, because our roles have object-level granularity, not application-level granularity, so the plugins out there didn't really work for me.
Michael Sofaer  2009-07-09 19:38:53
Did you check out rails_acl_plugin?It does instance, class and method level permissions.
Omega  2009-07-14 00:28:45
This question is the first google hit for rails_acl_plugin. Please link it.
Michael Sofaer  2009-07-15 01:48:51

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?