Model layer access control


#1

I already have a simple role based access control system (User, Role,
Privilege, Client) in place for my web layer, which checks
User.authorized?(controller, action, client) from a before filter.

What do you think about using this method for auth checks on the model
layer as well, only with made up controller/action strings? (e.g.
“model::Period”, “close”)

A bit simplistic for a multi user/client accounting system? I’m
certainly open for better suggestions, especially if they could
improve ease of use/maintenance.

Any feedback appreciated,
Isak


#2

I don’t see why you would ever need to provide access control to your
models. Access controls are for those things that the user can and
cannot directly access. In a Rails app, those things are Controllers
and items in the /public directory. No other parts of your Rails app
are directly exposed, so none of those other parts need their own
access controls…

-Brian


#3

“Brian” == Brian H. removed_email_address@domain.invalid writes:

I don’t see why you would ever need to provide access control to your
models. Access controls are for those things that the user can and
cannot directly access. In a Rails app, those things are Controllers
and items in the /public directory. No other parts of your Rails app
are directly exposed, so none of those other parts need their own
access controls…

It’s called “defense in depth”. If you have security in every layer,
you still have some protection if the security in one layer fails. If
you only have one layer of security, you lose everything if it fails.

	     Calle D. <removed_email_address@domain.invalid>
	 http://www.livejournal.com/users/cdybedahl/
 "I'd rather hang on to madness than normality" -- KaTe Bush