So, I’m wondering, what do all of you think of ActsAsRowSecured? I’m
little wary because it appears to use a singleton UserContext and
jigger that back into a SecurityContext class under ActiveRecord.
i.e.
class UserContext
include Singleton
@values = {}
class << self
def get(key)
@values[key]
end
def set(key, value)
@values[key] = value
end
end
end
class AccessControlled < ActiveRecord::Base
def self.inherited(subclass)
subclass.send(:acts_as_row_secured, :conditions => { :user_id =>
SecurityContext.context_info(:user_id) })
end
Isn’t it pure heresy to reference session data by proxy through
Singletons with an ActiveRecord override? This seems like an
egregious violation of MVC to me.
Isn’t it better to simply apply a scope your AR models in
ApplicationController as follows?
class ApplicationController
around_filter ScopedAccess::Filter.new(Posts, :accessible)
protected
def accessible
{ :find => {:conditions => [“user_id = ?”, session[:user_id]]},
:create => {:user_id => session[:user_id]} }
end
Adopted from http://www.caboo.se/articles/2006/2/22/nested-with_scope
Can someone confirm my suspicions or allay my fears regarding
acts_as_row_secure? Or, am I being a religious zealot by insisting on
MVC purity here? Better yet, is there another idiom that’s even more
ironclad than the caboo.se ScopedAccess one?
Tony