Rails 中使用数据库的动态角色授权。声明式授权是最佳选择吗?

发布于 2024-09-15 17:40:26 字数 151 浏览 20 评论 0原文

我需要提供动态角色分配(角色/权限)。更清楚地说,最终用户应该能够创建角色,向新用户分配权限。所以我正在考虑将每个用户的角色和权限存储在一个表中。

有没有一种聪明的方法来做到这一点(任何其他插件?),或者我应该编写代码来使用声明性授权来做到这一点。一些光会有所帮助。谢谢!

I will need to provide dynamic role assignments (Roles/ Privileges) .More clearly, an end user should be able to create a role, assign permissions to a new user. So I was thinking of storing roles and privileges in a table for each user.

Is there a smart way to do this (any other plugin?),or or should I write code to do this with Declarative Authorization . Some light would help.Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

谁对谁错谁最难过 2024-09-22 17:40:26

尝试回答这些问题以更接近解决方案:

  1. 角色本身是动态的吗?即管理员可以通过 Web 界面更改分配给各种角色的权限吗?如果是,那么您应该将此信息存储到数据库中。对于像博客这样的系统,角色是预先定义的,例如。管理员、访客和主持人、声明性授权就像一个魅力。
  2. 权限与 UI 的耦合有多强? (有时,您只需要限制几个地方,在其他情况下,例如社交网络,权限要复杂得多,并且与 UI 紧密耦合)。如果它的耦合非常紧密,即一个操作可用于所有类型的角色,但这些角色执行的操作受到其定义的限制,那么声明性授权(或类似的)不会有太大帮助,您需要一个遗留系统。

Try answering these to get closer to a solution:

  1. Are the roles themselves dynamic? i.e. Can the privileges assigned various to roles can be changed through the web interface by an Admin? If yes, then you should be storing this information into your database. For a system like a blog, where roles are pre-defined eg. Admin, Guest and Moderator, Declarative Authorization works like a charm.
  2. How strong is the coupling of permissions to the UI? (Sometimes it just a couple of places you need to restrict, in other cases, like a social network, permissions are a lot more complex and coupled tightly with the UI). If its very tightly coupled, i.e. one action is available to all sorts of roles but the actions these roles perform are limited by their definition, then Declarative Authorization (or the likes) won't help much, you need a legacy system.
半枫 2024-09-22 17:40:26

我最近在一个项目中使用了 CanCan ,觉得它非常酷。您创建一个能力类并使用它来决定用户是否“可以”执行该操作...您可以检查方法中表中是否存在权限,或者他们的规则集是否允许该操作。

我从 github 自述文件中获取了所有示例代码:

class Ability
  include CanCan::Ability

  def initialize(user)
    if user.admin?
      can :manage, :all
    else
      can :read, :all
    end
  end
end

然后在您的视图和控制器中您可以检查授权级别

<% if can? :update, @article %>
  <%= link_to "Edit", edit_article_path(@article) %>
<% end %>


def show
  @article = Article.find(params[:id])
  authorize! :read, @article
end

I've used CanCan recently in a project and think it was pretty cool. You create an Ability class and use it to decide if the user 'can' perform the action... You could check for existence of permissions in a table in the method, or if their ruleset permits the action.

I took all of this sample code from the github readme:

class Ability
  include CanCan::Ability

  def initialize(user)
    if user.admin?
      can :manage, :all
    else
      can :read, :all
    end
  end
end

Then in your views and your controller you can check authorization levels

<% if can? :update, @article %>
  <%= link_to "Edit", edit_article_path(@article) %>
<% end %>


def show
  @article = Article.find(params[:id])
  authorize! :read, @article
end
不寐倦长更 2024-09-22 17:40:26

Cancan 非常适合简单/启动项目,但如果您有一个整体应用程序,您绝对应该包装它。康康舞应该是一个早期的解决方案,但不是最终的解决方案。如果您查看策略对象(专家),它可能是您需要构建自己的授权模型的代码味道。像集成这样的授权因客户而异,如果您正在寻找更动态的解决方案或者您有太多角色可言,cancan 不适合您。您可能需要一个更加数据驱动的安全模型。例如,如果您可以授予其他人访问某个实体的权限。

Cancan is great for simple/starting projects but you should definitely wrap it if you have a monolithic app. Cancan should be a early solution but not a final one. If your looking at policy objects (pundit) it might be a code smell you need to build your own authorization model. Authorization like integration varies client to client and if your looking for more dynamic solutions or you have too many roles to speak of, cancan is not for you. You may need a more data-driven security model. For example if you can grant someone else access to an entity.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文