Rails ACL 设计问题

发布于 2024-10-03 05:12:02 字数 359 浏览 1 评论 0原文

我正在开发旧版 Rails 代码库，需要实现一些 ACL 逻辑，该逻辑不是基于对象上的标准 CRUD 操作，而是基于有关向不同用户组显示页面的哪些部分的自定义逻辑。这些页面“部分”不是由数据库中的任何对象定义的，因此我的猜测是基于对象的 ACL 系统可能不是最适合这里的。

我目前正在研究 declarative_authorization 但尚未确定它是否可以执行除基于对象的权限之外的任何操作。

这肯定是 Web 应用程序的一个相当常见的用例，我不想再滚动另一个 ACL。有谁对适合此目的的第三方库有建议吗？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

寄风 2024-10-10 05:12:02

我认为 CanCan 可以帮助你。它使用起来很简单，并且应该可以满足您的需要。这是 RailsCast：CanCan 授权

回复收藏 0 原文

悟红尘 2024-10-10 05:12:02

我已经浏览了一大堆不同的授权和 ACL 插件，和你一样，我不喜欢它们大多数使用的 CRUD 方法。

最后，最适合我的是类似于Redmine使用的设置。我不知道它是否源自任何命名插件，但我花了一些时间来理解它并针对我的情况进行了必要的调整。

基本上，它的作用是允许使用全局或特定模型的控制器和操作。首先指定可分配哪些不同的权限：

MyApplication::ACL.mapper do |map|
  map.permission :view_project,   {:projects => :show}
  map.permission :manage_project, {:projects => [:update, :edit, :post_status]}
  map.permission :delete_project, {:projects => :destroy}
end

下一步是将一个或多个权限分配给角色，该角色是一个具有序列化字段的模型，可以存储权限，即：

<#Role id: 1 name: "Intern" permissions: [:view_project] >
<#Role id: 2 name: "Member" permissions [:view_project, :manage_project] >

然后通过成员资格将不同的角色与用户映射模型。成员资格还可以与特定模型（例如项目）映射，因为您可能被允许管理一个项目，但不能管理另一个项目，或者它可以是全局的，例如某些应该受到限制的索引操作，但您不知道要授权哪个模型还反对。

在控制器中，您可以使用以下方法验证所有这些：

  before_filter :authorize, :only => [:show, :update, :edit,
                                      :post_status, :destroy]

授权当然是一种方法，用于检查当前用户是否是具有当前控制器和操作所需权限的任何角色的成员。

虽然这里有很长的描述，但仅简单介绍了它的工作原理:) 它比其他 ACL 插件复杂得多，但我认为它是最“干净”的替代方案，同时仍然允许我需要的灵活性。

I have looked through a whole bunch of different Authorization and ACL plugins and like you I did not like the CRUD approach that most of them used.

In the end, the most suitable for me was a setup similar to that which Redmine uses. I don't know if it origins from any named plugin but I spent some time getting to understand it and made the necessary adjustments for my case.

Basically what it does is to allow use of controllers and actions, either global or for specific models. You start with specifying what different permissions are assignable:

MyApplication::ACL.mapper do |map|
  map.permission :view_project,   {:projects => :show}
  map.permission :manage_project, {:projects => [:update, :edit, :post_status]}
  map.permission :delete_project, {:projects => :destroy}
end

Next step is to assign one or more permissions to a Role which is a model with a serialized field which can store the permissons, ie:

<#Role id: 1 name: "Intern" permissions: [:view_project] >
<#Role id: 2 name: "Member" permissions [:view_project, :manage_project] >

And then you map the different Roles with Users by a Membership model. The Membership can also be mapped with specific models, like Project, since you might be allowed to manage one project but not another one, or it can be global like some index actions which should be restricted but you don't know which Model to authorize against yet.

In the controllers you verify all this by using:

  before_filter :authorize, :only => [:show, :update, :edit,
                                      :post_status, :destroy]

And authorize is of course a method that checks if the current user is a member of any role that has the permission required for the current Controller and Action.

This is, although a long description here, only in short how it works :) It is alot more complicated than other ACL plugins out there but I think it is the most "clean" alternative while still allowing the flexibility that I need.

回复收藏 0 原文

~没有更多了~