245 Authorization [2.5d]

Updated . Posted . Visible to the public.

Reading

Understand how Consul and assignable_values can be used to implement arbitrary authorization systems.

Exercise: Read code

  • In Cards, users can be given deck-specific read/write access. Play around in the cards UI to see that functionality.
  • How does the application decide whether or not to render the "Edit card" button?
  • See if you can follow the code from the view that renders the button back to the code that is responsible for granting or denying access.

Exercise: Role-based authorization

Use Consul and assignable_values to implement role-based authorization in MovieDB:

  • Add a User#role field to MovieDB. The field can be switched between reader / writer / admin values.
  • A reader is allowed to view all movies. A reader is not allowed to create a new movie or edit or delete an existing movie.
  • A writer is like a reader, but is also allowed to create new movies. A writer can edit and delete the movies she created herself, but not movies created by other users.
  • An admin is allowed to create, view and edit and delete all movies.
  • The admin may change the author of any movie by picking a user option from a <select> in the movie form. However, non-admins should only see their own user as an option in the same <select>.

Remember to add tests for your authorization code.

Tip

If you have existing dropdowns that accept a restrict list of values (e.g. genre), you can simplify their implementation with assignable_values Show archive.org snapshot .

Discussion

Discuss with your mentor:

  • We don't want to duplicate our integration tests for every screen and user role. Why?
  • Where to put authorization scenarios? In an authorization.feature or under each resource folder, like the other scenarios.
  • If one role has, for a given resource, more permission than another role, should we have separate controllers and views?
Henning Koch
Last edit
Henning Koch
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra Curriculum (2015-08-05 11:58)