Question around non resources url

[epinault]

Hi

I am evaluating Authority to use it as the Authorization framework to use on Top of LDAP groups... It seems to be the most flexible but you mentioned a section about Code Smell and non resources... I am curious how you would approach a reporting web app (that access an API that is not necessarly REST like) that limits some of the reports based on Roles . And I have only one Table where some events are stored..

Would Authority fit ok with that?

[nathanl]

@epinault Probably? :smile: I'm not a coding guru who knows how to do everything (eg, I've never done anything with LDAP).

I think you're trying to say "I have reports that aren't ActiveRecord models, so how can I use an authorizer?" As long as you have some kind of class, it should be fine. Eg:

# 100% hypothetical
class WidgetReport < APIBasedReport # or whatever
  include Authority::Abilities # maybe edit config.abilities to only have `read`
  self.authorizer_name = 'ReportAuthorizer'

  def render
    data = fetch_data # talks to the API somehow
    format(data)
  end
end

class ReportAuthorizer < ApplicationAuthorizer
  def self.readable_by?(user)
    false if user.roles.empty?
  end
  def readable_by?(user)
    # `resource` refers to the report
    return false if resource.financial? && !user.roles.include?(:manager)
  end

So yeah, you just have to think of your reports as objects and code accordingly.

[epinault]

Thanks! I think that answer my question. How does it know wether it is a read vs a write ability in your previous example? I am trying to wrap my header how you would use teh WidgetReport and how it knows it is a read ability?

[nathanl]

Because you'd use it in a couple of ways:

1) current_user.can_read?(widget_report) when deciding to show a link or not 2) You'd set up your controller actions so that, eg, show on the ReportsController would check whether this report is readable_by(current_user) - see https://github.com/nathanl/authority#controllers

[epinault]

ok make sense now ! thanks!