search

nathanl / authority

*CURRENTLY UNMAINTAINED*. Authority helps you authorize actions in your Rails app. It's ORM-neutral and has very little fancy syntax; just group your models under one or more Authorizer classes and write plain Ruby methods on them.
MIT License
1.21k stars 67 forks source link

The workflow for multiple controllers working with one model. #97

Closed youroff closed 7 years ago

youroff commented 9 years ago

What would be the proper way to tune authorization workflow for the case when there are multiple controllers to do something different with the same model?

The issue as I see it, that instance level permissions are always checked in authorizer set in model, when for class level check you could set any authorizer in controller. I think, would be natural to use authorizer specified in controller when calling authorize_action_for @variable

Also, would be nice to use custom actions right away, without declaring them in config. Let's say we have:

  authorize_actions_for Recon::StepAuthorizer, actions: {
    take_photo: 'take_photo'
  }

This calls current_user.can_take_photo?(authorizer, ... ?) and it can't resolve it further, if there's no such item in the map. Would be nice to call it on authorizer as a fallback. Or some other approach?

christhekeele commented 9 years ago

Currently, I don't see an easy way to customize the authorizer used per resource at the controller layer. However, I can see this as being in scope for the next major version of Authority, which I don't have a timeline for yet. I'd like to move to a more ActiveModel::Serializers approach where a default class is inferred from the model, but the controller-level hook allows for exactly that customization.

As far as the dynamic custom actions goes, I'm not 100% sold on the use-case, but I'll keep it in mind.

nathanl commented 7 years ago

Authority is now unmaintained - see README.