Declarative Authorization
Having looked through quite a few existing Rails authorization plugins, we decided, we were in need of a different approach. Mainly, it was the missing separation of authorization logic from business logic in the evaluated plugins that caused us to implement a new plugin, declarative_authorization.
In our declarative approach, authorization rules are grouped in a policy file, while only privileges are used inside program code to enforce restrictions. We developed for flexibility and simplicity, requiring only very simple statements in rules and program code. So instead of
class ConferenceController < ApplicationController access_control :DEFAULT => [:admin], [:index, :show] => [...], [:edit, :update] => [:admin, :conference_organizer] end cond = permit?([:admin, :conference_organizer]) ? {} : {:published => true} Conference.find(:all, :conditions => cond) <% restrict_to [:admin, :conference_organizer] do %> <%= link_to 'Edit', edit_conference_path(conference) %> <% end %>
with all the authorization logic interweaved with your code, you only need this
class ConferencesController < ApplicationController filter_access_to :all def index @conferences = Conference.with_permissions_to(:read) end end <%= link_to 'Edit', edit_conference_path(conference) if permitted_to? :edit, conference %>
And, separated in one place the authorization rules:
role :guest do has_permission_on :conferences, :to => :read end role :conference_organizer do has_permission_on :conferences, :to => :manage end
So, the same rules are used in enforcing authorization in Model, View and Controller. Also, they are used for Query Rewriting to automatically constrain the retrieved records according to the authorization rules. Thus, you just modify the rules on authorization requirement changes and you can also use the rules to talk to business owners of Agile projects.
For additional information and more examples, refer to the README and the rdoc documentation. Currently, we are using the plugin for an application with fairly complex authorization and it will be taking into production in the next iteration. So, look into it if you have authorization concerns in your application, it’s released under MIT license.