Posted about 3 years ago. Visible to the public.

Authorization

Reading

Understand how Consul and assignable_values can be used to implement arbitrary authorization systems.

Exercise: Read code

  • In Cards, users can be given deck-specific read/write access. Play around in the cards UI to see that functionality.
  • How does the application decide whether or not to render the "Edit card" button?
  • See if you can follow the code from the view that renders the button back to the code that is responsible for granting or denying access.

Exercise: Role-based authorization

Use Consul and assignable_values to implement role-based authorization in MovieDB:

  • Add a User#role field to MovieDB. The field can be switched between reader / writer / admin values.
  • A reader is allowed to view all movies. A reader is not allowed to create a new movie or edit or delete an existing movie.
  • A writer is like a reader, but is also allowed to create new movies. A writer can edit the movies she created, but not movies created by other users.
  • An admin is allowed to create, view and edit and delete all movies.

Remember to add tests for your authorization code.

Owner of this card:

Avatar
Henning Koch
Last edit:
about 3 years ago
by Emanuel De
Posted by Henning Koch to makandra Curriculum
This website uses cookies to improve usability and analyze traffic.
Accept or learn more