Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/shuber/authorization

authorization for rails
https://github.com/shuber/authorization

Last synced: about 1 year ago
JSON representation

authorization for rails

Awesome Lists containing this project

README 

          
authorization

=============



A rails gem/plugin that handles authorization



Installation

------------



	gem install shuber-authorization --source http://gems.github.com

	OR

	script/plugin install git://github.com/shuber/authorization.git



Usage

-----



### Model ###



You must define an instance method such as `:authorized?` (customizable - see "Options") on your User class or whatever class you're 

authorizing. It will be passed a hash of options from the controller and must return true or false.



	class User < ActiveRecord::Base

	  def authorized?(options)

	    # does some logic to determine if this user is authorized or not

	    # returns a boolean

	  end

	end



### Controller ###



In the example below, the `:current_user` (customizable - see "Options") is only checked for authorization on the `:destroy`, `:edit`, 

and `:update` actions. In a before\_filter, the `:current_user`'s `:authorized?` method is called with whatever options that you 

passed to `authorize`. If the `:authorized?` method returns true, the request goes through like normal, otherwise, the request 

is redirected with a flash message (customizable - see below).



	class UsersController < ApplicationController

	  authorize :role => admin, :only => [:destroy, :edit, :update]

	  

	  def destroy; end

	  def edit; end

	  def index; end

	  def show; end

	  def update; end

	end



Controllers also have an instance method called `authorized?` which accepts the same options as the `authorize` method. You can use this 

if you want to check if an object is authorized without redirecting if it isn't. For example:



	class UsersController < ApplicationController

	  def some_action

	    if authorized? :role => :admin

	      # do something

	    else

	      # do something else

	    end

	  end

	end



`authorized?` is a helper method so you can use it in your views as well.



When authorization fails, the controller's instance method `unauthorized` is called. It simply sets a flash error and redirects. You can 

overwrite this method if you'd like to do something different.



### Options ###



Your controllers have a class method called `authorization_options` which contains a hash with default options. You can change 

these like so:



	class UsersController < ApplicationController

	  self.authorization_options.merge!{ :message => 'You are not authorized', :redirect_to => :users_path }

	end



The default authorization options are:



	# The type of flash message to use when authorization fails. Defaults to :error.

	:flash_type

	

	# The flash message to use when authorization fails. If set to false, no flash is set. Defaults to 'Unauthorized'.

	:message

	

	# The method to call to check if an object is authorized. Defaults to :authorized?

	:method

	

	# The object to authorize. If set to a proc or a symbol representing an instance method, it is evaluated and the resulting 

	# object is checked for authorization. Defaults to :current_user.

	:object

	

	# The path to redirect to if authorization fails. Accepts a string or a symbol representing an instance method to call. 

	# Defaults to '/'

	:redirect_to



These options can be overwritten when you use the `authorize` method. In the example below, if authorization fails when viewing 

the `:destroy` action, the message `Only admins can destroy users` is used. If authorization fails on any other action, the 

default `:message` is used (`Unauthorized` in this case).



	class UsersController < ApplicationController

	  authorize :role => admin, :message => 'Only admins can destroy users', :only => [:destroy]

	  authorize :role => admin, :except => [:destroy]

	end



Contact

-------



Problems, comments, and suggestions all welcome: [shuber@huberry.com](mailto:shuber@huberry.com)