Re: [rspec-users] [rails] An authorization question

Sun, 01 Mar 2009 13:13:42 -0800 


On 28 Feb 2009, at 22:26, Chris Flipse wrote:


Yes!  This is what I was trying (poorly) to get at.


Responsibility issues might be a large part of why it got factored  
this way to begin with.  The global is bad.  Really bad, which is  
why I'm trying to figure out something that works better.  But I  
believe it was put in place so that a model can be responsible for  
it's own authorization.  Some of the models are used and updated  
from several different controllers, so any authorization logic  
external to the model would have had to be repeated in several  
different locations.



The concern with that might be an over-enthusiastic embrace of DRY.   
However some of the authorization stuff is Really Really Important,  
so embedding the authorization logic in the model itself was seen as  
a way to ensure it's not forgotten about.



Half of my problem right now is that I'm not even sure what layer to  
put model specific authentication!  If it's in the controller layer,  
it's repeated logic in every controller that touches the model in  
question.  If it's in the model, the logic is centralized, but now  
your model needs not only to know about Users in general, it needs a  
specific user.  You have less chance of someone doing Something They  
Shouldn't due to a forgotten check in a controller, but the test  
setup seems to suffer for it.



One way or the other, the global User.current is going away --  
soon.  It's just a question of what to replace it with, and where.



I was only skim-reading this topic so I may be misunderstanding what  
you're after but I think that maybe what you're looking for is  
something like http://github.com/stffn/declarative_authorization/tree/master 
, a Rails plugin that allows you to specify the authorisation in a  
single place for both controllers and at the model level. I've just  
started using it for a project and so far it seems a good fit, though  
I'm trying to keep the whole app as restful resources which makes  
things a little easier.



It also has a few test helper methods which make it really easy to use  
with Cucumber and RSpec.


Andy


_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users





















					Reply via email to