monty
Rack based authorization system.
More to come, but here's the gist for rails 2.3.5:
In your environment.rb add:
require 'monty'
config.middleware.insert_after ActionController::ParamsParser, Monty::Watch
There may be other positions in the middleware stack that will work, I've tested this one.
Then you'll need to define your access rules. Create a file called authorization.rb in app/models.
Here's an example:
class Authorization
extend Monty::Access
# This creates the following regex matching: \/posts(\/.*)?
# Allows: /posts, /posts/, /posts/<any method>
'posts'
# This creates the following regex matching: \/posts(?!\/(destroy))(\/.*)?
# Not allowed: /posts/destroy
# Allows: /posts, /posts/, /posts/<any method but destroy>
'posts' do
resource 'posts' do
except 'destroy'
end
end
# This creates the following regex matching: \/posts\/(show|edit|update)
# Only allows: /posts/show, /posts/edit and /posts/update
'posts' do
resource 'posts' do
only 'show', 'edit', 'update'
end
end
# Permissions can have more than one resource
'public' do
resource 'posts'
resource 'welcome'
resource 'feeds'
end
'my_account' do
resource 'users' do
only 'show', 'edit', 'update'
end
end
# To make one of the above permissions public
public_access 'public'
# To make one of the above permissions protected
protected_access 'my_account'
end
Monty only has the concept of public and protected right now. After you have authenticated your user, you'll need to have some code in your resource that looks like:
session[:access_rights] = Monty.authenticated_access
Don't forget to reset your session when the user logs out.
Ummm, I think that's it for now. Let me know if you have any questions.
This project is the replacement for Lockdown.
Note on Patches/Pull Requests
- Fork the project.
- Make your feature addition or bug fix.
- Add tests for it. This is important so I don't break it in a future version unintentionally.
- Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
- Send me a pull request. Bonus points for topic branches.
Copyright
Copyright (c) 2010 Andrew Stone. See LICENSE for details.