Forum: Ruby on Rails best authorization?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Frank (Guest)
on 2006-01-03 23:47
(Received via mailing list)
Hello,

I want to allow some users to manage other user accounts, but do not
want them to manage the admin account.

I have tried auth_generator, login_engine and user_engine

I am having a hard time gettign this to work.
Looking for advise and help.

Thanks
Frank
Gerard (Guest)
on 2006-01-04 00:33
(Received via mailing list)
Hi Frank,

I've being messing with login_engine for a day or two and it works
nicely.
Going from there, ik think what you want is not that hard to realise. If
you
create an extra field in the users table which is called e.g.
maintained_by.
Then you can set up relations between what user-user can be maintained
by
what admin-user (admin-user being a user with privileges to manage other
users).
Or, if it needs to be 'bigger'. An extra table with a many-to-many
relationship if an enduser can be maintained by more then one
admin-user.
(but that seems like overkill.

Regards,

Gerard.


On Tuesday 03 January 2006 22:44, Frank tried to type something like:
> Thanks
> Frank

--
"Who cares if it doesn't do anything?  It was made with our new
Triple-Iso-Bifurcated-Krypton-Gate-MOS process ..."

My $Grtz =~ Gerard;
~
:wq!
Kevin O. (Guest)
on 2006-01-04 04:03
Frank wrote:
> Hello,
>
> I want to allow some users to manage other user accounts, but do not
> want them to manage the admin account.
>
> I have tried auth_generator, login_engine and user_engine
>
> I am having a hard time gettign this to work.
> Looking for advise and help.
>
> Thanks
> Frank

The login/user engine combo supports multiple 'roles'.  There are two
edit funcitons, one that edits the current user and one that edits a
different one.  It is a simple matter to assign the permission to use
the one that edits other users to an 'superadmin' or 'admin' role.
Frank R. (Guest)
on 2006-01-04 05:37
(Received via mailing list)
I am having trouble understanding the user_engine.
It seems if I uncheck all user permissions for a role called supervisor.
The user assigned to supervisor can still create a new user.

Is there any better docs on loging_engine and user_engine?

Frank
James A. (Guest)
on 2006-01-04 12:00
(Received via mailing list)
The administrator role (i.e. the one which the user engine has been
told to use as admin) is 'omnipotent' - i.e. any users with this role
will be able to perform all actions, no matter what the actual
permissions set to it are. It's basically a 'root' user. What you
probably want to do is create a *new* role for your supervisor - which
will, of course, respect the permissions you assign to it.

Aside from the RDoc in the code, there is no real documentation for
the user engine (or the login engine I suppose). Obviously it would be
great if there was more information, and I'll work on that when I get
the chance. However, docs will never be a substitute for reading (and
hopefully understanding) the code...

- james
Frank (Guest)
on 2006-01-04 19:12
(Received via mailing list)
ok,

I created a supervisor role and assigned delete_user and edit_user.

This role is allowed to delete admin.
I do not want admin to be changed or deleted by this role.

What can I do?

Frank
----- Original Message -----
From: "James A." <removed_email_address@domain.invalid>
To: <removed_email_address@domain.invalid>
Sent: Wednesday, January 04, 2006 4:57 AM
Subject: Re: [Rails] Re: best authorization?


The administrator role (i.e. the one which the user engine has been
told to use as admin) is 'omnipotent' - i.e. any users with this role
will be able to perform all actions, no matter what the actual
permissions set to it are. It's basically a 'root' user. What you
probably want to do is create a *new* role for your supervisor - which
will, of course, respect the permissions you assign to it.

Aside from the RDoc in the code, there is no real documentation for
the user engine (or the login engine I suppose). Obviously it would be
great if there was more information, and I'll work on that when I get
the chance. However, docs will never be a substitute for reading (and
hopefully understanding) the code...

- james

On 1/4/06, Frank R. <removed_email_address@domain.invalid> wrote:
> > Frank wrote:
> >> Thanks
> > Rails mailing list
> > removed_email_address@domain.invalid
> > http://lists.rubyonrails.org/mailman/listinfo/rails
>
> _______________________________________________
> Rails mailing list
> removed_email_address@domain.invalid
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
_______________________________________________
Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails
James A. (Guest)
on 2006-01-04 19:14
(Received via mailing list)
You want something that is beyond the scope of the user engine, i.e.
access control over specific objects.

The user engine only controls which actions a particular Role can
execute. However, you can control which objects can be manipulated by
providing different actions for manipulating each object type.

The user engine's own user-management actions will need to be
overriden if you want to impose restrictions on which objects they can
modify.

- james
rhubarb (Guest)
on 2006-04-06 00:00
How about using ActiveRBAC instead?
I haven't used it but it has very nice documentation, which I've read,
and it seems it would do what you want.

https://activerbac.turingstudio.com/trac/wiki

(follow the link to the pdf documentation - its simple and clear)

Has anyone tried this? How does it compare with other such plugins,
engines, generators?

What about this one - it seems more flexible still:

http://www.billkatz.com/authorization

but which is more mature?
Which one can I just plug in and run with?
This topic is locked and can not be replied to.