Rails authorization systems like CanCan, Declarative Authorization and role_requirement get most of the attention, but they are by no means your only options for adding permission systems to your applications. My current favorite is none of these (in fact, it’s not even listed in the list of authorization options in Ruby Toolbox). I’ve been using RESTful_ACL by Matt Darby. Its approach to an access control layer is different than other solutions.
In particular, ACL settings center more around your application’s models than they do the notion of roles. For me, this works out well for one main reason: At the top level I like to keep my apps’ user options pretty basic–you’re either an administrator, or a user, or a guest (not logged in). I don’t have authors, editors, moderators, well-wishers, and so on, so I don’t need a separate table to keep track of all these different roles. It’s also worth noting that unlike other authorization systems, which put your application’s authorization settings in a single configuration file, RESTful_ACL’s authorization settings for each model are included in the model file itself. (As I get more exposure to the likes of Declarative Authorization and CanCan I think I like the central file idea better.)
In the next series of posts on Everyday Rails I’ll cover the use of RESTful_ACL in application authorization, staring with a couple of tips for configuring your application to use the gem. To begin, follow the instructions provided in RESTful_ACL’s repository to add it to your app. It’s assumed you’ve got some sort of authentication system in place (Devise, Restful Authentication, Authlogic, etc.). For my apps, I also have an is_admin boolean value set up in my User model, giving some users the ability to do anything within the app (see Hacking Restful Authentication). If your application requires more roles for users, you can either create your own roles mechanism or look into one of the many role-supporting gems or plugins available.
The config.gem part should be straightforward. You’ll also need to add a route to redirect to when a user tries to do something he’s not authorized to do. I usually put this in the sessions controller created by Restful Authentication:
map.denied 'denied', :controller => 'sessions_controller', :action => 'denied'Don’t forget to add a denied method to your sessions controller and a corresponding view file. Your code is now ready to use RESTful_ACL for validating that users may perform functions within your application.
Next time I’ll apply RESTful_ACL to a basic Rails application, showing how to add ACL settings to a parent and child model and give different people different levels of access depending on whether they’re logged in or are application administrators.
If you liked my series on practical advice for adding reliable tests to your Rails apps, check out the expanded ebook version. Lots of additional, exclusive content and a complete sample Rails application.
Ruby on Rails news and tips, and other ideas and surprises from Aaron at Everyday Rails. Delivered to your inbox on no particular set schedule.