Understand how Consul and assignable_values can be used to implement arbitrary authorization systems.
Exercise: Read code
- In Cards, users can be given deck-specific read/write access. Play around in the cards UI to see that functionality.
- How does the application decide whether or not to render the "Edit card" button?
- See if you can follow the code from the view that renders the button back to the code that is responsible for granting or denying access.
Exercise: Role-based authorization
Use Consul and assignable_values to implement role-based authorization in MovieDB:
- Add a
User#role field to MovieDB. The field can be switched between
- A reader is allowed to view all movies. A reader is not allowed to create a new movie or edit or delete an existing movie.
- A writer is like a reader, but is also allowed to create new movies. A writer can edit the movies she created, but not movies created by other users.
- An admin is allowed to create, view and edit and delete all movies.
Remember to add tests for your authorization code.