Posted about 5 years ago. Visible to the public.

Authorization [3d]


Understand how Consul and assignable_values can be used to implement arbitrary authorization systems.

Exercise: Read code

  • In Cards, users can be given deck-specific read/write access. Play around in the cards UI to see that functionality.
  • How does the application decide whether or not to render the "Edit card" button?
  • See if you can follow the code from the view that renders the button back to the code that is responsible for granting or denying access.

Exercise: Role-based authorization

Use Consul and assignable_values to implement role-based authorization in MovieDB:

  • Add a User#role field to MovieDB. The field can be switched between reader / writer / admin values.
  • A reader is allowed to view all movies. A reader is not allowed to create a new movie or edit or delete an existing movie.
  • A writer is like a reader, but is also allowed to create new movies. A writer can edit the movies she created, but not movies created by other users.
  • An admin is allowed to create, view and edit and delete all movies.

Remember to add tests for your authorization code.


Discuss with your mentor:

  • Do we want duplicate our integration tests so every screen is tested once for each role?
  • Where to put authorization scenarios? In authorization.feature or under each model folder, like the other scenarios.
  • If one role has, for a given resource, more permission than another rule, should we have separate controllers and views?

Owner of this card:

Henning Koch
Last edit:
about 1 month ago
by Henning Koch
Posted by Henning Koch to makandra Curriculum
This website uses short-lived cookies to improve usability.
Accept or learn more