#385 Authorization from Scratch Part 1 pro
Oct 07, 2012 | 15 minutes | Security, Authorization
Authorization can be difficult to implement and test because it often involves complex logic that exists throughout the entire app. Here I demonstrate how to test and implement authorization from scratch.
- source codeProject Files in Zip (70.1 KB)
- mp4Full Size H.264 Video (38.1 MB)
- m4vSmaller H.264 Video (18.9 MB)
- webmFull Size VP8 Video (21.6 MB)
- ogvFull Size Theora Video (43.1 MB)
Great episode! Anyone know what that
Randomized with seed 43829line is? I haven't encountered that with Guard or RSpec before...
Yeah, you should find the following at the bottom of your spec/spec_helper.rb file:
This has been part of rspec for several months now, you probs just didn't notice it.
Oh, very cool! Never identified that as a potential issue, but I can see that it definitely could be. Yay rspec goodies!
It's there to ensure that your test cases are independent: that they pass regardless of the order in which they are run.
according to my Pry console. Permission class has a class method called "members" which return :user. I don't see where this method is defined...Does anyone know?
Members is a method that comes with Struct, which Permission inherits from in Ryan's example. http://ruby-doc.org/core-1.9.3/Struct.html
when I try to start the forum-after application (with rails s), I'm getting thie following error. Does anyone know what's wrong, as in how to fix it? I did bundle install and it's not changing anything. Please note that I recently uninstalled MacPorts and the error might be associated with that, but i still don't know how to fix it.
fixed it by doing
brew uninstall node
brew install node
I am sure you will put this in Part 2, but I am implementing this in an app right now and needed a way to ensure they were an admin for the associated member they were viewing.
Then you can use the Id to fetch and check on an item if needed.
Yep, I am addressing this in part 2.
Only just checked back, and will now be watching Part 2. Can fix up my dodgy fix :)
Great Job, Ryan!
Can you please tell me why or what is the advantage of having your Permission class inherit from a Struct (class Permission < Struct.new(:user)), why a struct?
This is just a quick way to get a "user" attribute. It also saves me from having to define the "initialize" method here.
Thanks Ryan. This is so cool, I have never thought of using struct in Ruby/Rails, only in C, C++.
Also, unrelated to this. Few months ago, you sent out an email about either cutting the number of episodes/week or raising price. I can tell you that, with no hesitation, I would pay triple, even for now. Your episodes are clear, your teaching is lucid and most important of all, I like learning from you. I am more eager to see your new episodes than the new Family Guy episodes. Really thank you and keep up the outstanding work.
Since the main check is in the application controller the permission logic feels like a controller to me, why not permissions_controller.rb in the controllers directory? - it just doesn't feel like a model to me. Is it just me?
It would be nice to have a part 3 or something which explains how this thought process carries over to CanCan, since you are the one who wrote it in the first place :)
Tempting for me to point out the allowy gem.
The implementation is very similar to what has been shown in this screencast.
Very lightweight, inspired by CanCan.
Even though it doesn't have much activity it is being used in production heavily (so sometimes project can be "finished" :) )
ProTip: Don't use "if not," use "unless."
So the authorize method would go from:
To the more readable:
Thanks for the reminder. I've been using "if not" exclusively. I'll try to break this old habit.
You can use either one, there is no reason to use one or the other. The key is the readability of your code. Personally, I prefer "if not" because I find it easier to understand.
What is the best way to test using Test Unit?
Should I test it in my functional test or create a unit test?
I'm new to rails and so happy I subscribed.
Does anyone know if there is an issue with the video in this episode at the moment? Just subscribed and I seem to be able to play some of the newer episodes but not this one and some others (error is "Can't play video - Media Source has failed loading")
Scratch that, working again now, must have been a temporary hiccup
Great episode as usual. I love how you test everything. Moving the permissions into a model is definitely the way to go.
After implementing that authorization solution, many of my controllers specs started failing because they are not authorized to run without the proper permission. How can I fake permission in a controller test to fix this problem?
I prefer this approach to that of StrongParameters, which is now part of Rails4. Anyone have an idea of how this approach compares to SP? I ask because this episode was produced after your StrongParameters episode.
Generic Viagra Online