- Watch Solving bizarre authorization requirements with Rails
- Read the Consul README
- Read the assignable_values README
Understand how Consul and assignable_values can be used to implement arbitrary authorization systems.
Exercise: Read code
- In Cards, users can be given deck-specific read/write access. Play around in the cards UI to see that functionality.
- How does the application decide whether or not to render the "Edit card" button?
- See if you can follow the code from the view that renders the button back to the code that is responsible for granting or denying access.
Exercise: Role-based authorization
Use Consul and assignable_values to implement role-based authorization in MovieDB:
- Add a
User#rolefield to MovieDB. The field can be switched between
- A reader is allowed to view all movies. A reader is not allowed to create a new movie or edit or delete an existing movie.
- A writer is like a reader, but is also allowed to create new movies. A writer can edit the movies she created, but not movies created by other users.
- An admin is allowed to create, view and edit and delete all movies.
Remember to add tests for your authorization code.
Discuss with your mentor:
- Do we want duplicate our integration tests so every screen is tested once for each role?
- Where to put authorization scenarios? In authorization.feature or under each model folder, like the other scenarios.
- If one role has, for a given resource, more permission than another rule, should we have separate controllers and views?