Forum: Ruby on Rails Model layer access control

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
5233478c51a92b6a1a5c970cbf3a42f3?d=identicon&s=25 Isak Hansen (Guest)
on 2006-05-16 12:33
(Received via mailing list)
I already have a simple role based access control system (User, Role,
Privilege, Client) in place for my web layer, which checks
User.authorized?(controller, action, client) from a before filter.

What do you think about using this method for auth checks on the model
layer as well, only with made up controller/action strings? (e.g.
"model::Period", "close")

A bit simplistic for a multi user/client accounting system? I'm
certainly open for better suggestions, especially if they could
improve ease of use/maintenance.

Any feedback appreciated,
Isak
7c4087d053eb02d099a17d91ba5e33b5?d=identicon&s=25 Brian Hughes (Guest)
on 2006-05-16 15:26
(Received via mailing list)
I don't see why you would ever need to provide access control to your
models. Access controls are for those things that the user can and
cannot directly access. In a Rails app, those things are Controllers
and items in the /public directory. No other parts of your Rails app
are directly exposed, so none of those other parts need their own
access controls...

-Brian
9d7d8ef2179661d6b30e180fa588cd45?d=identicon&s=25 Calle Dybedahl (Guest)
on 2006-05-16 15:48
(Received via mailing list)
>>>>> "Brian" == Brian Hughes <brianvh@alum.dartmouth.org> writes:

> I don't see why you would ever need to provide access control to your
> models. Access controls are for those things that the user can and
> cannot directly access. In a Rails app, those things are Controllers
> and items in the /public directory. No other parts of your Rails app
> are directly exposed, so none of those other parts need their own
> access controls...

It's called "defense in depth". If you have security in every layer,
you still have some protection if the security in one layer fails. If
you only have one layer of security, you lose everything if it fails.
--
		     Calle Dybedahl <calle@cyberpomo.com>
		 http://www.livejournal.com/users/cdybedahl/
	 "I'd rather hang on to madness than normality" -- KaTe Bush
This topic is locked and can not be replied to.