Best authorization?


#1

Hello,

I want to allow some users to manage other user accounts, but do not
want them to manage the admin account.

I have tried auth_generator, login_engine and user_engine

I am having a hard time gettign this to work.
Looking for advise and help.

Thanks
Frank


#2

Hi Frank,

I’ve being messing with login_engine for a day or two and it works
nicely.
Going from there, ik think what you want is not that hard to realise. If
you
create an extra field in the users table which is called e.g.
maintained_by.
Then you can set up relations between what user-user can be maintained
by
what admin-user (admin-user being a user with privileges to manage other
users).
Or, if it needs to be ‘bigger’. An extra table with a many-to-many
relationship if an enduser can be maintained by more then one
admin-user.
(but that seems like overkill.

Regards,

Gerard.

On Tuesday 03 January 2006 22:44, Frank tried to type something like:

Thanks
Frank


“Who cares if it doesn’t do anything? It was made with our new
Triple-Iso-Bifurcated-Krypton-Gate-MOS process …”

My $Grtz =~ Gerard;
~
:wq!


#3

Frank wrote:

Hello,

I want to allow some users to manage other user accounts, but do not
want them to manage the admin account.

I have tried auth_generator, login_engine and user_engine

I am having a hard time gettign this to work.
Looking for advise and help.

Thanks
Frank

The login/user engine combo supports multiple ‘roles’. There are two
edit funcitons, one that edits the current user and one that edits a
different one. It is a simple matter to assign the permission to use
the one that edits other users to an ‘superadmin’ or ‘admin’ role.


#4

I am having trouble understanding the user_engine.
It seems if I uncheck all user permissions for a role called supervisor.
The user assigned to supervisor can still create a new user.

Is there any better docs on loging_engine and user_engine?

Frank


#5

The administrator role (i.e. the one which the user engine has been
told to use as admin) is ‘omnipotent’ - i.e. any users with this role
will be able to perform all actions, no matter what the actual
permissions set to it are. It’s basically a ‘root’ user. What you
probably want to do is create a new role for your supervisor - which
will, of course, respect the permissions you assign to it.

Aside from the RDoc in the code, there is no real documentation for
the user engine (or the login engine I suppose). Obviously it would be
great if there was more information, and I’ll work on that when I get
the chance. However, docs will never be a substitute for reading (and
hopefully understanding) the code…

  • james

#6

ok,

I created a supervisor role and assigned delete_user and edit_user.

This role is allowed to delete admin.
I do not want admin to be changed or deleted by this role.

What can I do?

Frank
----- Original Message -----
From: “James A.” removed_email_address@domain.invalid
To: removed_email_address@domain.invalid
Sent: Wednesday, January 04, 2006 4:57 AM
Subject: Re: [Rails] Re: best authorization?

The administrator role (i.e. the one which the user engine has been
told to use as admin) is ‘omnipotent’ - i.e. any users with this role
will be able to perform all actions, no matter what the actual
permissions set to it are. It’s basically a ‘root’ user. What you
probably want to do is create a new role for your supervisor - which
will, of course, respect the permissions you assign to it.

Aside from the RDoc in the code, there is no real documentation for
the user engine (or the login engine I suppose). Obviously it would be
great if there was more information, and I’ll work on that when I get
the chance. However, docs will never be a substitute for reading (and
hopefully understanding) the code…

  • james

On 1/4/06, Frank R. removed_email_address@domain.invalid wrote:

Frank wrote:

Thanks
Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


#7

You want something that is beyond the scope of the user engine, i.e.
access control over specific objects.

The user engine only controls which actions a particular Role can
execute. However, you can control which objects can be manipulated by
providing different actions for manipulating each object type.

The user engine’s own user-management actions will need to be
overriden if you want to impose restrictions on which objects they can
modify.

  • james

#8

How about using ActiveRBAC instead?
I haven’t used it but it has very nice documentation, which I’ve read,
and it seems it would do what you want.

https://activerbac.turingstudio.com/trac/wiki

(follow the link to the pdf documentation - its simple and clear)

Has anyone tried this? How does it compare with other such plugins,
engines, generators?

What about this one - it seems more flexible still:

http://www.billkatz.com/authorization

but which is more mature?
Which one can I just plug in and run with?