New Authorization Framework

These days I’ve working in a new Authorization Framework for Rails Station.

After trying with ACLs and suffering from some scalability issues, the final version seems to be stable.

Like previous versions, you can protect your controller actions using authorization_filter

class PostsController
  authorization_filter :read, :post, :only => [ :show ]

Authorization is defined in each  model using authorizing declarations:

class Post
  authorizing do |user, permission|
    # Allow all actions to the author of the Post
    if user == agent

You can define and chain all the authorizing declarations you need. These declarations build an authorization chain, which is evaluated from the first one until one of the declarations returns true or false.

This is the response you get when calling:

post.authorize? :read, :to => user

Station comes with two default declarations:

  • When a model acts_as_stage, the authorization queries will look for the permissions of the role the user is playing in the Stage
  • When a model acts_as_content, the authorization will query the Container

You can check the documentation for more information about authorization in Station


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s