previous card
back to all cards in this deck back
next card

245 Authorization [2.5d]

Posted Over 8 years ago. Visible to the public.

Reading

Understand how Consul and assignable_values can be used to implement arbitrary authorization systems.

Exercise: Read code

  • In Cards, users can be given deck-specific read/write access. Play around in the cards UI to see that functionality.
  • How does the application decide whether or not to render the "Edit card" button?
  • See if you can follow the code from the view that renders the button back to the code that is responsible for granting or denying access.

Exercise: Role-based authorization

Use Consul and assignable_values to implement role-based authorization in MovieDB:

  • Add a User#role field to MovieDB. The field can be switched between reader / writer / admin values.
  • A reader is allowed to view all movies. A reader is not allowed to create a new movie or edit or delete an existing movie.
  • A writer is like a reader, but is also allowed to create new movies. A writer can edit and delete the movies she created herself, but not movies created by other users.
  • An admin is allowed to create, view and edit and delete all movies.
  • The admin may change the author of any movie by picking a user option from a <select> in the movie form. However, non-admins should only see their own user as an option in the same <select>.

Remember to add tests for your authorization code.

Tip

If you have existing dropdowns that accept a restrict list of values (e.g. genre), you can simplify their implementation with assignable_values Show archive.org snapshot .

Discussion

Discuss with your mentor:

  • We don't want to duplicate our integration tests for every screen and user role. Why?
  • Where to put authorization scenarios? In an authorization.feature or under each resource folder, like the other scenarios.
  • If one role has, for a given resource, more permission than another role, should we have separate controllers and views?
Henning Koch
makandra.com
Say thanks1
Last edit
6 days ago
Henning Koch
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra Curriculum (2015-08-05 11:58)
This website uses short-lived cookies to improve usability.
or learn more