RailsCasts Pro episodes are now free!

Learn more or hide this

Authorization from Scratch Part 1

#385 Authorization from Scratch Part 1 pro

Oct 07, 2012 | 15 minutes | Security, Authorization
Authorization can be difficult to implement and test because it often involves complex logic that exists throughout the entire app. Here I demonstrate how to test and implement authorization from scratch.
Click to Play Video ▶
  • Download:
  • source codeProject Files in Zip (70.1 KB)
  • mp4Full Size H.264 Video (38.1 MB)
  • m4vSmaller H.264 Video (18.9 MB)
  • webmFull Size VP8 Video (21.6 MB)
  • ogvFull Size Theora Video (43.1 MB)
Avatar
Tim Raymond about 12 years ago

Great episode! Anyone know what that Randomized with seed 43829 line is? I haven't encountered that with Guard or RSpec before...

Avatar
murdoch about 12 years ago

Yeah, you should find the following at the bottom of your spec/spec_helper.rb file:

ruby 
# Run specs in random order to surface order dependencies.
config.order = "random"

This has been part of rspec for several months now, you probs just didn't notice it.

Avatar
Tim Raymond about 12 years ago

Oh, very cool! Never identified that as a potential issue, but I can see that it definitely could be. Yay rspec goodies!

Avatar
Alan Cohen almost 12 years ago

It's there to ensure that your test cases are independent: that they pass regardless of the order in which they are run.

Avatar
MikeOnRails about 12 years ago

according to my Pry console. Permission class has a class method called "members" which return :user. I don't see where this method is defined...Does anyone know?

Avatar
nickyvu about 12 years ago

Members is a method that comes with Struct, which Permission inherits from in Ryan's example. http://ruby-doc.org/core-1.9.3/Struct.html

Avatar
MikeOnRails about 12 years ago

when I try to start the forum-after application (with rails s), I'm getting thie following error. Does anyone know what's wrong, as in how to fix it? I did bundle install and it's not changing anything. Please note that I recently uninstalled MacPorts and the error might be associated with that, but i still don't know how to fix it.

ruby 
Completed 500 Internal Server Error in 1479ms

ActionView::Template::Error (dyld: Library not loaded: /opt/local/lib/libssl.1.0.0.dylib
  Referenced from: /usr/local/bin/node
  Reason: image not found

  (in /Users/michaeljohnmitchell/Sites/authorizationPart1/forum-after/app/assets/javascripts/sessions.js.coffee)):
    3:   <head>
    4:     <title>Forum</title>
    5:     <%= stylesheet_link_tag    "application", media: "all" %>
    6:     <%= javascript_include_tag "application" %>
    7:     <%= csrf_meta_tag %>
    8:   </head>
    9:   <body>
  app/views/layouts/application.html.erb:6:in `_app_views_layouts_application_html_erb___3636075050981736840_2167808160'


  Rendered /Users/michaeljohnmitchell/.rvm/gems/ruby-1.9.2-p290@rails3tutorial/gems/actionpack-3.2.8/lib/action_dispatch/middleware/templates/rescues/_trace.erb (2.5ms)
  Rendered /Users/michaeljohnmitchell/.rvm/gems/ruby-1.9.2-p290@rails3tutorial/gems/actionpack-3.2.8/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb (1.2ms)
  Rendered /Users/michaeljohnmitchell/.rvm/gems/ruby-1.9.2-p290@rails3tutorial/gems/actionpack-3.2.8/lib/action_dispatch/middleware/templates/rescues/template_error.erb within rescues/layout (17.1ms)
^C[2012-10-08 23:48:50] INFO  going to shutdown ...
[2012-10-08 23:48:50] INFO  WEBrick::HTTPServer#start done.
Exiting
Avatar
MikeOnRails about 12 years ago

fixed it by doing

brew uninstall node
brew install node

Avatar
Cameron Stitt about 12 years ago

I am sure you will put this in Part 2, but I am implementing this in an app right now and needed a way to ensure they were an admin for the associated member they were viewing.

ruby 
if !current_permission.allow?(params[:controller], params[:action], params[:id])

Then you can use the Id to fetch and check on an item if needed.

ruby 
return true if controller == "projects" && action.in?(%w[edit]) && Project.find(id).user == user
Avatar
Ryan Bates about 12 years ago

Yep, I am addressing this in part 2.

Avatar
Cameron Stitt about 12 years ago

Only just checked back, and will now be watching Part 2. Can fix up my dodgy fix :)

Avatar
peterchchu about 12 years ago

Great Job, Ryan!

Can you please tell me why or what is the advantage of having your Permission class inherit from a Struct (class Permission < Struct.new(:user)), why a struct?

Avatar
Ryan Bates about 12 years ago

This is just a quick way to get a "user" attribute. It also saves me from having to define the "initialize" method here.

Avatar
peterchchu about 12 years ago

Thanks Ryan. This is so cool, I have never thought of using struct in Ruby/Rails, only in C, C++.

Also, unrelated to this. Few months ago, you sent out an email about either cutting the number of episodes/week or raising price. I can tell you that, with no hesitation, I would pay triple, even for now. Your episodes are clear, your teaching is lucid and most important of all, I like learning from you. I am more eager to see your new episodes than the new Family Guy episodes. Really thank you and keep up the outstanding work.

Avatar
xanview about 12 years ago

Since the main check is in the application controller the permission logic feels like a controller to me, why not permissions_controller.rb in the controllers directory? - it just doesn't feel like a model to me. Is it just me?

Avatar
Bharat Ruparel about 12 years ago

It would be nice to have a part 3 or something which explains how this thought process carries over to CanCan, since you are the one who wrote it in the first place :)

Avatar
Dmytrii Nagirniak about 12 years ago

Tempting for me to point out the allowy gem.

The implementation is very similar to what has been shown in this screencast.
Very lightweight, inspired by CanCan.

Even though it doesn't have much activity it is being used in production heavily (so sometimes project can be "finished" :) )

Avatar
Mike Bethany about 12 years ago

ProTip: Don't use "if not," use "unless."

So the authorize method would go from:

def authorize
  if !current_permission.allow?(params[:controller], params[:action])
    redirect_to root_url, alert: "Not authorized."
  end
end

To the more readable:

def authorize
  unless current_permission.allow?(params[:controller], params[:action])
    redirect_to root_url, alert: "Not authorized."
  end
end
Avatar
Ryan about 12 years ago

Thanks for the reminder. I've been using "if not" exclusively. I'll try to break this old habit.

Avatar
Tom Dworzanski over 11 years ago

You can use either one, there is no reason to use one or the other. The key is the readability of your code. Personally, I prefer "if not" because I find it easier to understand.

Avatar
Christopher Lai about 12 years ago

What is the best way to test using Test Unit?

Should I test it in my functional test or create a unit test?

Avatar
Arturo almost 12 years ago

Great episode.
I'm new to rails and so happy I subscribed.

Avatar
Nick Bolt over 11 years ago

Does anyone know if there is an issue with the video in this episode at the moment? Just subscribed and I seem to be able to play some of the newer episodes but not this one and some others (error is "Can't play video - Media Source has failed loading")

Avatar
Nick Bolt over 11 years ago

Scratch that, working again now, must have been a temporary hiccup

Avatar
Tom Dworzanski over 11 years ago

Great episode as usual. I love how you test everything. Moving the permissions into a model is definitely the way to go.

Avatar
Danilo Faria about 11 years ago

After implementing that authorization solution, many of my controllers specs started failing because they are not authorized to run without the proper permission. How can I fake permission in a controller test to fix this problem?

Avatar
Kraig almost 11 years ago

I prefer this approach to that of StrongParameters, which is now part of Rails4. Anyone have an idea of how this approach compares to SP? I ask because this episode was produced after your StrongParameters episode.