New Plugin: RESTful_Acl

Rails
1

I’d like to announce my very first plugin: RESTful_Acl

=What it does=
RESTful_Acl is a simple access control layer, it allows you to restrict
access on a fine-grained level to any RESTful MVC stack. While the ACL
structure and engine are provided by this plugin, the implementation is
fully up to the user. Every application is different and everyone likes
to setup their User / Account / Role resources differently; this plugin
will allow you to do your thing and keep that thing locked down.

The full write up and source can be found at:
http://code.google.com/p/restful-acl/

Thoughts and suggestions are welcome!

2

Thanks Matt!

It would be great if the instructions would cover a bit more how to use
it. I’m just fighting with it.

undefined local variable or method `error_url’ is the error I have now.
And I only added before_filter :has_permission? to one controller. I’m
not so experienced with RoR but anyway…

Regards

3

undefined local variable or method `error_url’ is the error I have now.
And I only added before_filter :has_permission? to one controller. I’m
not so experienced with RoR but anyway…

It seems as though you’re using the first revision of RESTful_ACL that
expected a few named routes to exist. I’ve taken these requirements out
in the latest versions, so if you update the plugin you should be ready
to roll right away.

./script/plugin remove
http://restful-acl.googlecode.com/svn/tags/restful_acl
./script/plugin install
http://restful-acl.googlecode.com/svn/tags/restful_acl

Hope this helps and thanks for checking out RESTful_ACL!

4

Hi,

As part of other topic you where asking for suggestions/comments about
the plugin documentation.

This post: Using roles vs namespaces for admin - Rails - Ruby-Forum

I started looking at it but decided to put it away since I’m not so
experienced.
I hope you could make some example about how to use it and integrate it
to a simple app.

The contents of the readme is pasted below (not much help there)

RestfulAcl

Introduction goes here.

Example

Example goes here.

Then the other piece of info is in google code:
http://code.google.com/p/restful-acl/

But again that’s for experienced people. What kind of user model is
needed, role model? Again a simple example would be much more helpful.

undefined local variable or method `error_url’
Thas was the first problem I had. Besides not knowing how to get the
plugin in the first place since you assume that people know how to add
the repository before intalling. I didn’t so I had to ask again.

Still the error_url was not fixed. Now based on some other info from the
last days it might be that I just need to create a “error” route in the
routes file and that’s what you are calling. But still it requires some
further additions.

Part of your documentation is “and a smattering of mapped URLs in order
to work.” Well, that’s something I would really ellaborate a “bit” more.

Of course you can target your plugin to people with lot of experience
but I’m sure many people will look at the info available before deciding
to try it out.

I guess this is some feedback already :sunglasses:

Cheers!

5

Hi, excellent! I’ll give it a try and see how it goes after I finish
some stuff. I’m learning every minute :sunglasses:

Thanks.

6

comopasta Gr wrote:

Hi,

As part of other topic you where asking for suggestions/comments about
the plugin documentation.

This post: Using roles vs namespaces for admin - Rails - Ruby-Forum

I started looking at it but decided to put it away since I’m not so
experienced.
I hope you could make some example about how to use it and integrate it
to a simple app.

The contents of the readme is pasted below (not much help there)

RestfulAcl

Introduction goes here.

Example

Example goes here.

Then the other piece of info is in google code:
Google Code Archive - Long-term storage for Google Code Project Hosting.

But again that’s for experienced people. What kind of user model is
needed, role model? Again a simple example would be much more helpful.

undefined local variable or method `error_url’
Thas was the first problem I had. Besides not knowing how to get the
plugin in the first place since you assume that people know how to add
the repository before intalling. I didn’t so I had to ask again.

Still the error_url was not fixed. Now based on some other info from the
last days it might be that I just need to create a “error” route in the
routes file and that’s what you are calling. But still it requires some
further additions.

Part of your documentation is “and a smattering of mapped URLs in order
to work.” Well, that’s something I would really ellaborate a “bit” more.

Of course you can target your plugin to people with lot of experience
but I’m sure many people will look at the info available before deciding
to try it out.

I guess this is some feedback already :sunglasses:

Cheers!

Good point about the readme file; I will update that with the contents
from the Google repository.
The write up says that this plugin expects that you are using the
RESTful_Authentication plugin; it creates the User model for you and
also supplies other needed methods. All you need to do is add the
before_filter to the User controller and the four CRUD functions to the
User model and RESTful_ACL is ready to work. Just follow the steps in
the Google write up and you’ll be up and running in seconds.

The write up now includes directions on how to add the required named
routes to your routes.rb file.
Experience is all relative; I’d only used RoR for a few months at the
time of writing RESTful_ACL :slight_smile:

Thank you for feedback and I hope this will help!

7

Hello,

Sorry if my question looks stupid but I am quite new with RoR, I am
looking at an ACL plugin for my projects (I have already decided for
Restful_Authentication) and I have a question about restful_acl.
Let’s say that I have 2 roles : teachers and students and a note model
teacher can create, update, view, delete his notes (note the one from
an other teacher) and a student can only see his notes.

If I understood correctly in the note.rb (my model), I need to define
the 4 methods described in the plugin documentation (is_updatable, is
deletable, …). But I am not sure how to write these method to
restrict the access depending on the note I am "evaluating and not
only the role?

def is_updatable_by(user) # note should be updatable
only by the teacher who created it
user.is_teacher? and ???
end

def self.is_readable_by(user, object = nil) # note should be
readable only by all the teachers or by the student who has this note
user.is_student? or user.eql?(object.author)
end

Thanks very much for your help.
Additional question : why are some of the method “self.” and not the
others?

8

On 29 Mar 2008, at 09:59, Tranquiliste wrote:

def is_updatable_by(user) # note should be updatable
only by the teacher who created it
user.is_teacher? and ???
end

Given you have a relationship
belongs_to :owner, :class_name => “Teacher”, :foreign_key => “owner_id”

def is_updatable_by(user) # note should be updatable
user.is_teacher? and self.owner==user
end

Best regards

Peter De Berdt

9

Thanks both of you for the answers. I am going to look at them.

Nciolas

10

Tranquiliste wrote:

def is_updatable_by(user) # note should be updatable
only by the teacher who created it
user.is_teacher? and ???
end

def self.is_readable_by(user, object = nil) # note should be
readable only by all the teachers or by the student who has this note
user.is_student? or user.eql?(object.author)
end

Thanks very much for your help.
Additional question : why are some of the method “self.” and not the
others?

Hi Tranquiliste, thanks for using RESTful_ACL! To answer your questions:

To restrict editing of a Note to only the Teacher who created it I would
do (in Note)

belongs_to :author, :foreign_key => ‘created_by_id’, :class_name =>
‘Teacher’

def is_updatable_by(user)
user.eql?(author)
end

def self.is_readable_by(user, object = nil)
user.is_teacher? || object.student_id == user.id
end

When you say ‘note should be readable by the student who has this note’
I’ve assumed that you’re linking each Note with a Student in some
fashion.

As for your last question: the is_readable_by and is_creatable_by
methods are class methods, meaning that they operate at the class level
and not with just a single object. (Note instead of note, if you get my
drift). That’s where the ‘self’ comes into play.

11

Tranquiliste wrote:

Hello,

Sorry to bother you again but what if several teachers can modify the
note and a teacher can modify several notes? (which means we have a
model note-owner?)

Tranquiliste a �crit :

In Note.rb:
def is_updatable_by(user)
user.eql?(author) || user.is_a?(Teacher)
end

12

Hello,

Sorry to bother you again but what if several teachers can modify the
note and a teacher can modify several notes? (which means we have a
model note-owner?)

Tranquiliste a écrit :

13

In Note.rb:
def is_updatable_by(user)
user.eql?(author) || user.is_a?(Teacher)
end

Posted viahttp://www.ruby-forum.com/.

Thanks again, but in my case not all the teachers can modify the note,
only those who have been authorized.

14

On 30 Mar 2008, at 09:21, Tranquiliste wrote:

In Note.rb:
def is_updatable_by(user)
user.eql?(author) || user.is_a?(Teacher)
end

Posted viahttp://www.ruby-forum.com/.

Thanks again, but in my case not all the teachers can modify the note,
only those who have been authorized.

A bit of common sense could take you a long way:

def is_updatable_by(user)
user.eql?(author) || ( user.is_a?(Teacher) && user.is_authorized? )
end

Replace the is_authorized? method with something else if you want,
maybe something that has a bit more logic behind it…

Best regards

Peter De Berdt

15

Hello,

Me again, because I don’t understand why the is_readable_by method is
defined as a class method. If I have an class Invoice and that someone
ask to view an invoice it should call
@invoice.is_readable_by(current_user) and not with a generic
Invoice.is_readable_by(current_user) .

Would you mind explaining this choice?

Thanks very much
Nicolas

16

Sorry I am stupid, I have just understood something (I won’t tell you
what because I will look even more stupid), and I think I am ready now
to do what I want.

Thanks again for your help

Nicolas

17

Tranquiliste wrote:

Hello,

Me again, because I don’t understand why the is_readable_by method is
defined as a class method. If I have an class Invoice and that someone
ask to view an invoice it should call
@invoice.is_readable_by(current_user) and not with a generic
Invoice.is_readable_by(current_user) .

Would you mind explaining this choice?

Thanks very much
Nicolas

Sure thing.

The is_readable_by() method pulls double duty. It is a class method as
it supports the Object::index action, along with the Object::show
action.

Since the index action usually deals with a collection of objects, it
must be a class method. The method includes a parameter variable,
object, that can represent a singular object when checking access on
that singular object. This takes care of the Object::show action (that
normally deals with just one object).

In your case, if you want to check access on a singular invoice object,
you can do:
Invoice.is_readable_by(current_user, @invoice).

Hope this helps!