Hi,
I’ve been following the discussions about roll-your-own, generators,
plugins
and engines with interest. I wonder how much peoples needs really vary
when
it comes to a login system. Right now the Rails wiki is not so helpful
with
a discussion of authentication in general and I would like to see the
wiki
improve. Perhaps the best way to start is with a list of authentication
features people actually would like to have. Maybe the list will be long
but
if the lists exists it will make it easier for someone new to roll their
own
if that is the best way to go. Also the list could be fleshed out with
more
wiki pages describing strategies for each item.
I would like to have
- forgotten password emails
- user roles
What features do you need?
Peter
I’ve only checked out Model Security and things I
didn’t like about it:
- appears to only use HTTP authentication, rather than
HTML forms.
- MySQL specific. Though porting to PostgreSQL et al
should be trivial.
- Waaay complex - lots of libs, helpers, models,
views, controllers, etc.
Other than that, it appears to be well done and quite
capable. But I’ll probably end up using pieces of it
to suit my needs.
csn
— Peter M. [email protected] wrote:
improve. Perhaps the best way to start is with a
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
The model security can use html forms… Just click on cancel when the
box
comes up from the HTTP auth.
I think it’s a great idea to set up a list of desired features
I think that in addition to the forgotton password email and user roles,
there is also a need to have the ability to either extend, or
dynamically
assign associations and fields to the user model without
overwriting/modifying the code for the system. I want to be able to
associate users with other objects in the app without changing the
user.rbfile in the login system. Login Engine does this presently.
Also a feature to allow certain roles to perform certain actions on the
user
(or a sub-set of users) via a config option. This option may mean that a
seperate Admin interface is not required. Not sure how this would work
though, especially if your an admin, and therefore you can access every
user, but the manager role option below is read first and so limits your
options…
ie.
config :allow_user_actions
:actions =>[‘list’,‘edit’,‘show’],
:required_role => [‘Manager’],
:on_users => “department = #{curren_user.department}”
config :allow_user_actions
:actions =>[:all],
:required_role => ['Admin],
:on_users => :all
A filter for the a controller that sets the role required for actions.
Of course whatever system is put up, they should agree on the basic
method
names and where each of these methods is available and applied…
current_user
login_required
role_required
roles_allowed (maybe multiple roles should have access to the list of
actions)
has_role
etc
Just a couple of thoughts…
If you remove the
On 11/12/05, CSN [email protected] wrote:
csn
In that case then you need to modify the User controller. remove line
108
(and any others that you can find…)
http_authorize
I think this should do it.
— Liquid [email protected] wrote:
The model security can use html forms… Just click
on cancel when the box
comes up from the HTTP auth.
I don’t want it to come up at all.
csn
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com