#188 Declarative Authorization
- Download:
- source codeProject Files in Zip (106 KB)
- mp4Full Size H.264 Video (26.3 MB)
- m4vSmaller H.264 Video (17.3 MB)
- webmFull Size VP8 Video (45.3 MB)
- ogvFull Size Theora Video (38.4 MB)
This episode is going to cover authorization, specifically role-based authorization. With this a user can be assigned to a role which gives them certain permissions throughout an application. Authorization is a tricky subject to cover, not least because there are so many different authorization plugins and gems available. Another problem is that the best authorization solution depends on the type of application you’re writing.
This episode will focus on declarative authorization which is one of the more advanced solutions. At first it might appear to be a rather complicated but with a little effort you’ll discover that it provides a lot of powerful functionality and can handle a wide range of authorization needs.
Adding Authorization to Our Application
In this episode we’ll be working with a blogging application. The application’s home page shows a list of articles and each article can have a number of comments which are shown on that article’s page.
In its current state any user who visits the site can edit or delete any of the articles or comments which is obviously not what we want so we’ll be modifying the application to give each user a different level of functionality according to their role. We already have authentication set up on our site and there are links at the top of each page to allow users to sign up or log in. For this we used Authlogic, which was covered back in episode 160 [watch, read].
To add roles we’re going to create a new model called Role
which will have a string attribute called name
. The Role
and User
models will be linked by a has_many :through
relationship via a join model called Assignment
.
To assign roles to a user we’ll modify the sign-up form so that a user can choose their roles. This is done with a series of checkboxes using the technique described back in episode 17 [watch, read]. Obviously in a real world application we wouldn’t let users to choose their own roles but to keep this example application simple we’re going to allow this.
Our three roles will have different permissions: members of the admin role will be allowed to create, edit and destroy anything across the application; moderators will be allowed to edit anyone’s comments, but not articles; authors will be allowed to create articles and edit any articles that they have created and finally, users without any assigned role will be allowed to create comments and edit their own comments.
Getting Started With Declarative Authorization
Now that we know what we want to do let’s dive in and get started. Declarative authorization is available as a gem from Gemcutter so the first step we need to take is to add a reference to it in our application’s /config/environment.rb
file.
config.gem "declarative_authorization", :source => "http://gemcutter.org"
Then, to make sure that the gem is installed we’ll run
sudo rake gems:install
The permissions for the roles we’re defining for our application are going be defined in a new file called authorization_rules.rb
in the /config
directory. Declarative Authorization provides its own DSL for defining roles and permissions and this is how we’ll use it to define the permissions for the admin user.
authorization do role :admin do has_permission_on [:articles, :comments], :to => [:index, :show, :new, :create, :edit, :update, :destroy] end end
The roles are defined within an authorization
block. Each role has a name and also takes a block in which that role’s permissions are set out. We use the has_permission_on
method to define the permissions and this takes two parameters. The first is a list of the models that the role can access and this is followed by a :to
parameter which has a list of the permitted actions on those models.
We’ll define the other roles later and test what we’ve done so far now. Before we go any further though we’ll need to make one other change as declarative authorization doesn’t know how our roles are defined. We need to make a change to our User
model, adding a role_symbols
method that returns a list of the roles the user has as an array of symbols. If, for example, our User
model had an admin
attribute we could write this method this way so that the user belongs to the :admin
role if they are an admin.
def role_symbols [:admin] if admin? end
Our application is different is that it has a many-to-many relationship between User
and Role
and a user’s roles are defined when they sign up through the checkboxes we saw earlier. So in role_symbols
we’ll convert the current user’s roles into an array of symbols which is done like this:
def role_symbols roles.map do |role| role.name.underscore.to_sym end end
Declarative authorization will now be able to map a user’s roles to the roles we’re defining in the authorization_rules
file.
There are a couple of steps we still need to take. One is to set up a before_filter
in our ApplicationController
to tell declarative authorization what the current user is.
class ApplicationController < ActionController::Base helper :all protect_from_forgery before_filter { |c| Authorization.current_user = c.current_user } end
Finally we need to go into each of our controllers and add a before_filter
there to restrict access. We do this by calling a method that declarative authorization provides called filter_resource_access
. This method adds before filters to RESTful type controllers and also does one other thing: when filter_resource_access
is called it loads the single resource model so that it can check the access on it. This means that in each of the show
, new
, create
, edit
, update
and delete
actions we can remove the line that loads the model. We can do this in both the ArticlesController
and the CommentsController
in our application. If any of your controllers don’t follow the RESTful conventions then the documentation7 has details on how to deal with this.
Testing What We’ve Done
It has taken quite a bit of work to get this far but we’re finally at the stage where we can test what we’ve done so far. If we log in as a user with an admin role we can view the articles and the links to edit or delete articles and comments are visible. So far, so good, but when we log out though we see something unexpected:
This happens because the application redirects to the home page, the articles index page, when we log out and as a guest we don’t have permission to view that action. To fix this we need to add the permissions for the guest in the authorization_rules
file. The guest role is a special role reserved for users who are yet to sign up or log in or users who don’t have a role assigned to them.
authorization do role :admin do has_permission_on [:articles, :comments], :to => [:index, :show, :new, :create, :edit, :update, :destroy] end role :guest do has_permission_on :articles, :to => [:index, :show] has_permission_on :comments, :to => [:new, create] end end
In the guest role we give permission for guests to access the index and show actions for articles and the new and create actions for comments. With these changes in place when we reload the page we can see the list of articles again.
Hiding Links to Forbidden Actions
Although guest users cannot edit or destroy articles and comments the links for these actions are still shown. Our next step therefore is to remove these links for those users in roles that don’t have permission to execute the actions they link to. We’ll have to modify the view code to do this and declarative authorization provides a useful method called permitted_to?
to help with this.
In the view code for the ArticleController
’s show action we’ll use permitted_to?
to hide the links to edit or delete an article unless the current user has the appropriate permissions.
<p> <% if permitted_to? :edit, @article %> <%= link_to "Edit", edit_article_path(@article) %> | <% end %> <% if permitted_to? :destroy, @article %> <%= link_to "Destroy", @article, :method => :delete, :confirm => "Are you sure?" %> | <% end %> <%= link_to "Back to Articles", articles_path %> </p>
The permitted_to?
method takes two parameters: the name of an action and a model. Further down in the same file we’ll make a similar modification so that the links are hidden unless the current user can edit or delete a comment.
<p> <% if permitted_to? :edit, comment %> <%= link_to "Edit", edit_comment_path(comment) %> | <% end %> <% if permitted_to? :destroy, comment %> <%= link_to "Destroy", comment, :method => :delete, :confirm => "Are you sure?" %> <% end %> </p>
We also need to make a similar change in the index view to hide the new article link.
<% if permitted_to? :create, Article.new %> <p><%= link_to "New Article", new_article_path %></p> <% end %>
Note that as we don’t have an instance of an article in the index action we’ve used Article.new
instead.
When we reload the page now the edit and destroy links will be hidden unless the current user has the appropriate permissions.
Adding More Roles and Rules
Now that everything is set up all we need to do to alter access to the different parts of the site is to make changes to the authorization_rules
file. The DSL that’s provided allows us to set some fairly advanced rules. For example if we want to allow logged-in users who have no roles assigned to them to be able to edit their own comments we can add the following rule to the :guest
role.
role :guest do has_permission_on :articles, :to => [:index, :show] has_permission_on :comments, :to => [:new, :create] has_permission_on :comments, :to => [:edit, :update] do if_attribute :user => is { user } end end
Declarative authorization provides an if_attribute
method which can be used to add conditions to a permission. In the new rule above permission is only granted if the :user
attribute, that is the user the comment belongs to, is the currently logged in user.
If we now log in as a user with no roles and add a comment to an article we’ll see that we have an “edit” link for that comment but not the comments made by anyone else.
All we’ve had to do to enable this is make one change to the authorization_rules
file which shows how easy it is to set up rules like this.
Adding Permissions For Other Roles
We have set up three roles in our application but so far we have only defined permissions for one of them (as well as the guest role). We’ll add permissions for those roles now.
role :moderator do includes :guest has_permission_on :comments, :to => [:edit,:update] end role :author do includes :guest has_permission_on :articles, :to => [:new, :create] has_permission_on :articles, :to => [:edit, :update] do if_attribute :user => is { user } end end
Notice that we’ve used an includes
method here to give one role the permissions of another. Any user in the moderator role can do anything a guest can do and also edit and update anyone’s comments. Similarly authors can do all that a guest can do but can also create articles and update any articles that they have written.
A Better Error Message
To finish this episode we’ll make one last change to our application. If someone viewing our site tries to visit an action they don’t have access to they’ll see a basic error page with a message saying that they aren’t allowed to do that.
We can improve this by modifying our ApplicationController
. If we add a method called permission_denied
it will be executed when an attempt to call an unauthorized action is made. So instead of showing a bare error we’ll have our application redirect to the home page and show an flash message.
def permission_denied flash[:error] = "Sorry, you not allowed to access that page." redirect_to root_url end
Now when we try to access an action we’re not allowed to we’ll be redirected to the home page and shown a better error.
That’s it for this episode. Declarative authorization provides a neat, powerful solution for authorization in Rails applications and we’ve only really scratched the surface of what it can do. The documentation pages provide much more details and are well worth reading if you want to delve a little deeper.