dead_simple_authorization 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +42 -1
- data/lib/dead_simple_authorization/helpers.rb +1 -0
- data/lib/dead_simple_authorization/version.rb +1 -1
- metadata +2 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 094811cb3c6a7c29d7de9eaf841554e4179d2919
|
|
4
|
+
data.tar.gz: 493f517f366e9f935de8c848879639154cda8e88
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b99b566cad0ec612eb2a71b2dcb6a1d35856943fade47fe092426e536929be1af09bf429686bd5e5dc2db8631be50e3cc81556ed1f8084b54c4c34552e774487
|
|
7
|
+
data.tar.gz: 09b0919c5faa86f439ac8f850d7777c4c9ac59af366824e07f4d87396bd71e79add34afe2909fdcc7a4097c278f7980f1b671cc4dbe6b4f1529c820122057ed4
|
data/README.md
CHANGED
|
@@ -1,2 +1,43 @@
|
|
|
1
1
|
# dead_simple_authorization
|
|
2
|
-
|
|
2
|
+
|
|
3
|
+
## What is dead_simple_authorization?
|
|
4
|
+
It's a simple gem for authorization. The main concepts around dead_simple_authorization are: users, resources and permissions. Using a couple of simple naming conventions, it organizes the way in which access to a resource (an activerecord model for example) by a user (e.g. a web application's user) is checked.
|
|
5
|
+
|
|
6
|
+
## What's included
|
|
7
|
+
The juice of this gems are the methods can? and authorize included in the module DeadSimpleAuthorization::Helpers. Both methods accept 3 arguments: a user, an action and a resource. For example can?(user, :update, post) checks if a user has the permission to update a post. The authorize method is the stricter of the two, as if the user doesn't have permission, it raises a DeadSimpleAuthorization::Errors::NotAuthorized error, while can? method only returns a boolean.
|
|
8
|
+
|
|
9
|
+
## Example usage
|
|
10
|
+
Think of a web application (e.g. a rails app), a blog for example, where there are Users and Posts and a user can be the owner of a Post. How would we create a simple authorization mechanism in this case?
|
|
11
|
+
|
|
12
|
+
Assume a Post contains the following (among other things):
|
|
13
|
+
|
|
14
|
+
```ruby
|
|
15
|
+
class Post < ActiveRecord::Base
|
|
16
|
+
belongs_to :user
|
|
17
|
+
end
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
What we need is a place to put the rules for dead_simple_authorization. The convention is that a PostPolicy class holds those rules. This policy class inherits from DeadSimpleAuthorization::Policy::Base:
|
|
21
|
+
|
|
22
|
+
```ruby
|
|
23
|
+
class PostPolicy < DeadSimpleAuthorization::Policy::Base
|
|
24
|
+
def update?
|
|
25
|
+
user == resource.user
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
Note that the Policy objects are instantiated with user and resource, so in this case user holds the user passed to the can? or authorize methods and resource a Post instance. That's it! Now, by including DeadSimpleAuthorization::Helpers in a controller for example, we can check permissions with either can? or authorize method this way:
|
|
31
|
+
|
|
32
|
+
```ruby
|
|
33
|
+
can?(current_user, :update, post)
|
|
34
|
+
```
|
|
35
|
+
or
|
|
36
|
+
|
|
37
|
+
```ruby
|
|
38
|
+
authorize(current_user, :update, post)
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
The convention when creating permission methods in PostPolicy is to have end in question mark, so by creating a rule such as update? the action that needs to be provided to authorize and can? methods is :update (i.e. the question mark needs to be removed and a symbol needs to be used).
|
|
42
|
+
|
|
43
|
+
That's pretty much it.
|
|
@@ -24,6 +24,7 @@ module DeadSimpleAuthorization
|
|
|
24
24
|
# error, but returns the boolean outcome of the check
|
|
25
25
|
#
|
|
26
26
|
def can?(user, action, resource)
|
|
27
|
+
action = action.to_sym if action.is_a? String
|
|
27
28
|
policy_class = "#{resource.class}Policy"
|
|
28
29
|
policy = Object::const_get(policy_class).new(resource, user)
|
|
29
30
|
policy.send("#{action.to_s}?")
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dead_simple_authorization
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Pantelis Vratsalis
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-03-
|
|
11
|
+
date: 2015-03-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -100,4 +100,3 @@ summary: A pretty simple solution for permissions on resources - framework agnos
|
|
|
100
100
|
test_files:
|
|
101
101
|
- spec/helpers_spec.rb
|
|
102
102
|
- spec/spec_helper.rb
|
|
103
|
-
has_rdoc:
|