My Ring app is undergoing growing pains: I think I need some kind of abstraction for managing user permissions when working with my RDBMS. Our system has few user roles and they all own or have rights to a bunch of data in a hierarchical fashion e.g. admin > manager > employee etc.
So far I've gotten away with manually writing permissions checks as part of input validation functions in my Ring handlers. Mississippi takes care of the basic input validation step, then I do some higher level checking, including permissions, and then in case of a POST/UPDATE I attempt an insertion and listen for SQL exceptions. At the end I generate the right HTTP code. The problem is that I have to write a bespoke check for each separate route, often having to account for 2-3 user types, each with a different set of tables to join to validate permissions. Business rules like "is the requesting user A in the same group as the requested user B? If not, return 403" or "is requesting user A owner of the group user B is part of? If not, return 403" etc. My gut feeling is that this should be handled in a much more abstract and declarative fashion. I should be able to say: if user type X requesting data type Y with operation Z, check X-to-Y ACL table for whether the user has that right. Then I can just declare these business rules in a central location (akin to routes) and know that I didn't accidentally mess something up UTing might get simpler too. I think the Rails gem CanCan does something similar to the above. Now, does anybody have suggestions regarding this pattern? Have you added something similar to your project or did you opt for a different design? Any clj libraries you found useful here? Cheers! -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
