Authentication: UserEngine or own creation?

Hi all

I’m coding a project that needs a lot of authentication stuff… e.g. I
write sort of a profile area, where users can create their different
So I need to check if a user has the right to browse the profiles, if he
has the right to change them all (as an admin) or the ones that belong
to him etc. etc. This needs quite some logic…

Now I wonder whether to use the existing UserEngine for authentication
stuff, or if I should write my own…
I guess that the UserEngine needs quite a lot of performance because it
makes so many calls to the DB. And it only has controller/action pairs
that it can validate, so I don’t think that it fits my needs.

I rather thought about creating my own system, that does not validate
controller/action pairs, but “real” roles and permissions.

Semantic code:

class profiles_controller < ApplicationController
def edit
if user.has_right ‘EDIT_PROFILES’ or user.belongs_to ‘ADMINS’
# do edit stuff
render :partial => ‘permission_error’

What do you think about that? Do I miss something or is it really better
to create my own authentication system rather than using the UserEngine?
Or are there other authentication systems available for Rails apps?

Thanks a lot for your opinions. :slight_smile:

On Thursday, August 10, 2006, at 4:13 PM, Joshua M. wrote:

stuff, or if I should write my own…
def edit
Or are there other authentication systems available for Rails apps?

Thanks a lot for your opinions. :slight_smile:

Posted via

Rails mailing list
[email protected]

The user_engine is pretty good so long as you don’t need record level
security. It can do roles and controls access through controller/action
pair permissions, as you noted.

It sounds like what you want to do is stick a before_filter before some
specific actions to deny access to a particular record if the current
user is not the owner of that record. You could do this…

before_filter :check_owner, :only=>[:edit_profile, …]

def check_owner
@item = Item.find(params[:id])
unless @item.created_by ==
flash[:notice] = “Access Denied”
redirect_to :back
return false

I don’t know of any generic way to control record level access at the


Thanks for your answer.

I just feel like the UserEngine is pretty slow, because it has to read
quite a bit from the DB as soon as you get many controllers. E.g. every
link_if_authorized seems to call the DB again, there’s no caching or
stuff like that.

Is the UserEngine in use in bigger projects? Or do they rather rely on
their own authentication implementation?

Btw. just stumbled over the table field “system role”… what’s this?

Thanks and greets,

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs