Recently i’m working on a project when i have more than just admin and
normal users, and all the work was made with single controllers for all
features. I use some very usefull techniques, that i will apreciate
criticisms. On this project, not just verbs is allowed/denied, but data
change following the user role.
First, i use before_filters to make access control, based on roles,
categories and functions (at now it’s just C-R-U-D). A migration
all actions on the system (a biggest work, walking through controllers
and identifying true actions…). ACL was made across relationship
roles, functions and tool’s categories, all category have their own
function (CRUD again). The simple exclusion of verbs not work how was
on first email in this tread because links and other things will still
pointing to actions a errors will be raised.
To fix this problems, i just write a smallest plugin, that overwrite
link_to*** helpers, returning “” if the user has no access to the
To test this access restrictions i add useful methods like canCreate? or
canUpdate? to user model.
The biggest problem was change all data on the system based on the
because the logic behind the scenes was very deeply: some roles has
hierarchically restrictions, other roles has no restrictions, etc…
Add to this scenario, the fact that the system need information’s
(the user select specific parent data, and all tree of data bellow this
parent data will be restricted to)!
… for this purpose i work with around_filters and with_scope… An
but usefull code that wraps all the application data.
I speak all this things because i think that this problem is not so
to anti-DRY pattern, or this isn’t about REST in self.
Keep your code clean on real applications that have real roles
is very difficult, and sincerely i think that REST is not so useful on
case. I am not speaking against use REST (i really understand how REST
help us)… The fact is that REST or no REST, the problem was the same
restriction REST based will not help you.
P.S.: just think about edit action! This is called through GET action,
users that can’t update, should not access this action…
On Dec 27, 2007 3:43 PM, Nathan E.
anyway, I learned a lot about rails 2 with those two posts! thank you!
Posted via http://www.ruby-forum.com/.
Everton J. Carpes
Mobile: +55 53 9129.4593
MSN: [email protected]
Jabber: [email protected]
“If art interprets our dreams, the computer executes them in the guise
programs!” - Alan J. Perlis