search

nathanl / authority

*CURRENTLY UNMAINTAINED*. Authority helps you authorize actions in your Rails app. It's ORM-neutral and has very little fancy syntax; just group your models under one or more Authorizer classes and write plain Ruby methods on them.
MIT License
1.21k stars 67 forks source link

authority_success logging #119

Closed forced-request closed 7 years ago

forced-request commented 7 years ago

This PR introduces the authority_success controller method, which can be utilized to log successful authorization events. This must be enabled within the configuration by setting config.log_success = true within the initializer.

This method will log via Authority.logger.info by default, but can be overloaded in the controller similar to how authority_forbidden is. As an example:

class ApplicationController < ActionController::Base
  # Send 'em back where they came from with a slap on the wrist
  def authority_forbidden(error)
    log_security_event("failure", nil, "Authority Failure")

    Authority.logger.warn(error.message)
    redirect_to request.referrer.presence || root_path, :alert => 'You are not authorized to complete that action.'
  end

  def authority_success(*opts)
    log_security_event("success", nil, "Authority Success")
  end
end

This may not be the best way to handle things. For instance, you may prefer that the authority_success action operating on an object similar to SecurityViolation. I didn't see the need for this for my use case.

What do you think?

forced-request commented 7 years ago

@nathanl I think what you said makes sense. I made those changes. It's much simpler now. I also removed the test coverage since the function doesn't actually do anything.

nathanl commented 7 years ago

👍