chaps-io / access-granted

Multi-role and whitelist based authorization gem for Rails (and not only Rails!)
MIT License
775 stars 41 forks source link

Replacement for accessible_by #26

Closed linkyndy closed 8 years ago

linkyndy commented 8 years ago

Since AccessGranted does not support CanCan's accessible_by, how can I achieve something similar to it? It's handy to have such a scope to retrieve only permitted objects.

pokonski commented 8 years ago

accessible_by is only possible for permissions with hash conditions (for obvious reasons) and has very limited use.

I have no intention of bringing this functionality into access-granted as it creates too much complexity and couples two completely different things, authorization and querying internal data storage.

What you need is to just check the user's role and query accordingly by a given column.

In 99% cases you just need to filter by the owner's id. Not something access-granted should know about.

linkyndy commented 8 years ago

I respect your choice, wasn't questioning whether you should add accessible_by. But in my case, 99% of the uses of 'accessible_by` are complex, I just don't check based on a single column on the target model. I have roles that control nested objects by even 3-4 levels, so I guess it would be quite cumbersome to do this manually. That's why I've asked, maybe I'm missing something more obvious.

pokonski commented 8 years ago

I would create a repository that does the fetching depending on the current_user and his role. You could even check for exact permissions inside that repository and build queries based on that.

On 15 January 2016 at 09:53, Andrei Horak notifications@github.com wrote:

I respect your choice, wasn't questioning whether you should add accessible_by. But in my case, 99% of the uses of 'accessible_by` are complex, I just don't check based on a single column on the target model. I have roles that control nested objects by even 3-4 levels, so I guess it would be quite cumbersome to do this manually. That's why I've asked, maybe I'm missing something more obvious.

— Reply to this email directly or view it on GitHub https://github.com/chaps-io/access-granted/issues/26#issuecomment-171904727 .

Piotr Okoński piotrek@okonski.org | +48 792 097 151

pokonski commented 8 years ago

Additional thought: I might be able to expose applying conditions for a given user to use in fetching, but I don't want to actually integrate with any ORMs.

On 15 January 2016 at 09:55, Piotrek Okoński piotrek@okonski.org wrote:

I would create a repository that does the fetching depending on the current_user and his role. You could even check for exact permissions inside that repository and build queries based on that.

On 15 January 2016 at 09:53, Andrei Horak notifications@github.com wrote:

I respect your choice, wasn't questioning whether you should add accessible_by. But in my case, 99% of the uses of 'accessible_by` are complex, I just don't check based on a single column on the target model. I have roles that control nested objects by even 3-4 levels, so I guess it would be quite cumbersome to do this manually. That's why I've asked, maybe I'm missing something more obvious.

— Reply to this email directly or view it on GitHub https://github.com/chaps-io/access-granted/issues/26#issuecomment-171904727 .

Piotr Okoński piotrek@okonski.org | +48 792 097 151

Piotr Okoński piotrek@okonski.org | +48 792 097 151

linkyndy commented 8 years ago

I understand. Thanks for your help; will keep an eye on the progress of this gem ;) Keep up the good work!

TSMMark commented 1 year ago

Hey @pokonski (or any maintainers), is this a thing yet?

I might be able to expose applying conditions for a given user to use in fetching

Can't find this in the readme or docs

pokonski commented 1 year ago

Hey @TSMMark, this is not in Access Granted. But if anyone is willing to make an extension to AG we can include it :)

TSMMark commented 1 year ago

To make sure we're on the same page about it, could you give a brief example of how you imagine it to work?

pokonski commented 1 year ago

I personally have no need for such feature so not really, I haven't given it much thought