A stupidly simple authorization gem for Rails.
Make sure Gemcutter is in your repo sources:
$ gem sources -a http://gems.gemcutter.org
Installation:
$ sudo gem install authoritah
By default (i.e. when no Authoritah declarations are made) all requests are allowed. Authoritah is pretty flexible in introducing authorization rules to your application. An example is called for:
class WidgetController < ApplicationController permits :current_user => :admin? end
This is a wildcard rule. It assumes you have a method on your controller called “current_user” (as something like restful_authentication or authlogic would provide) that returns an object that can respond to an admin? message - the rule will pass if admin? returns true (or more strictly, non-false). Once a permit rule is defined access to the actions of this controller are ONLY permitted if you fulfill the predicate. If you just have a case where you have a method on your controller to check authorisation, you can do the following:
class WidgetController < ApplicationController permits :logged_in? end
What about if we only want to control access to certain actions? Easy, add a :to option and pass it an action or array of actions. You can add as many rules and scope them by action - Authoritah will ensure that a request is only permitted if all rules for a given action pass.
class WidgetController < ApplicationController permits :current_user => :admin?, :to => [:create, :destroy] permits :current_user => :logged_in?, :to => :show end
You also have the ability to expressly forbid access using the forbids directive:
class WidgetController < ApplicationController permits :current_user => :logged_in? forbids :current_user => :blacklisted?, :from => [:create, :destroy] end
In this scenario any logged in user can access the controller actions, but any user responding true to blacklisted? will be forbidden from running the :create or :destroy actions.
You can also pass a Proc as the predicate:
class WidgetController < ApplicationController forbids :current_user => Proc.new {|user| user.name.index("Hacky McHackster") } end
The Proc gets passed the result of the :current_user message to the controller for you to specify more complex rules.
I’ve also now added the ability to customise how the user is using the :on_reject option. You can either pass it a symbol identifying a method to call, or a Proc:
class WidgetController < ApplicationController permits :current_user => :logged_in?, :on_reject => :redirect_to_login forbids :current_user => :blacklisted?, :from => [:create, :destroy], :on_reject => Proc.new { redirect_to '/blacklisted' } def redirect_to_login flash[:notice] = "Please login to view widgets" redirect_to root_url end end
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent