当前位置: 文江博客话题详情

Rails Web 服务授权

发布于 2024-12-28 19:59:39 字数 253 浏览 2 评论 0原文

我的 Rails 应用程序几乎是多个 Web 服务的前端。我坚持我的用户模型,仅此而已。我需要向我的网络应用程序添加授权,使用 Devise 进行身份验证。我注意到 CanCan 和 acl9 似乎主要在 ActiveRecord 模型的实例上工作。 CanCan 或 acl9 仍能满足我的需求吗?在我的情况下使用这两个库有什么建议吗?

我应该寻找更适合操作而不是实例的东西吗?

另外,这些都是基于角色的系统,我正在考虑使用基于权限的系统。他们仍然很合适吗?

原文

My rails app is pretty much a front-end to several web services. I persist my User model, and that's about it. I need to add authorization to my web app, using Devise for authentication. I've noticed CanCan and acl9 seem to work mostly on instances of ActiveRecord models. Would CanCan or acl9 still fit my needs? Any tips on using either of these libraries in my situation?

Should I look for something that works more on actions instead of instances?

Also, these are both Role based systems, and I'm thinking of using a permission based system. Would they still be a good fit?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

荒芜了季节 2025-01-04 19:59:39

我不能代表 acl9。然而,cancan wiki 确实声称“如果没有提供的话,很容易制作自己的[模型]适配器。” https://github.com/ryanb/cancan/wiki/Model-Adapter换句话说,即使您没有使用 ActiveRecord,您仍然可以使用 cancan。

话又说回来,如果你不打算拥有角色,你在 cancan 中的能力定义可能看起来有点多余,例如:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)

    can :create, Widget if user.has_permission(:create_widgets)
    can :delete, Widget if user.has_permission(:delete_widgets)
    can :herp, Derp if user.has_permission(:herp_derp)
  end
end

如果你可以仅使用 cancan 来实现其控制器操作授权方法,那就太好了,但我不这样做知道这是否可能。祝你好运。

I can't speak for acl9. However, the cancan wiki does claim that "It is easy to make your own [model] adapter if one is not provided." https://github.com/ryanb/cancan/wiki/Model-Adapter In other words, even though you're not using ActiveRecord, you might still be able to use cancan.

Then again, if you're not planning on having roles, your ability definitions in cancan might be a little redundant looking, eg.:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)

    can :create, Widget if user.has_permission(:create_widgets)
    can :delete, Widget if user.has_permission(:delete_widgets)
    can :herp, Derp if user.has_permission(:herp_derp)
  end
end

It would be great if you could use cancan just for its controller action authorization methods, but I don't know if that's possible. Good luck.

回复 原文
冰葑 2025-01-04 19:59:39

只是为了(最后:)回答 acl9

Acl9 由两个非常独立的部分组成,访问控制子系统,它是您放入控制器中的所有授权内容,以及 Role Subsystem设置/检查/删除经过身份验证的用户的角色。

访问控制子系统曾经调用的唯一current_user.has_role?( role, obj=nil)。因此,角色子系统对 ActiveRecord、关联、数据库等具有零依赖性。一个帮助器 (acts_as_authorization_subject),它添加了一个依赖于 ActiveRecord 的 has_role?< /code> 方法到一个类,但这完全是可选的,您可以自由地实现自己的 has_role? 方法(也可以回退到调用super 获取 acl9)并根据需要实施访问检查。因此,您说您确实保留您的用户模型,但假设您希望用户的角色成为学校的管理员,但该学校是对某个远程系统的 Web 服务调用。

## in your model
class User < ActiveRecord::Base

  def has_role? role, obj=nil
    role == :admin  &&
      obj == school &&
      school[:admin] == id  # <-- just making up how we know we're the admin of the remote school
    end
  end

  def school
    @school ||= School.get_by_user_id(id)
  end
end

## in your controller
class SomeController < ApplicationController
  before_action :set_school

  access_control do
    allow :admin, of: :school
  end

  private
  def set_school
    @school = School.get_by_id(params[:school_id])
  end
end

Just to (finally :) answer for acl9.

Acl9 is composed of two very separate pieces, the Access Control Subsystem which is all the authorizing stuff you put in your controller, and the Role Subsystem which is setting/checking/removing roles from an authenticated user.

The only thing that the Access Control Subsystem ever calls is current_user.has_role?( role, obj=nil). So, the Role Subsystem has zero dependency on ActiveRecord, associations, database, etc. There is a helper (acts_as_authorization_subject) which adds an ActiveRecord-dependent has_role? method to a class, but that's entirely optional and you're free to implement your own has_role? method (which can also fallback to calling super to get the acl9 one) and implement your access checks however you please. So, you said that you do persist your user model, but let's say you want a role for your user to be the admin of a school, but that school is a web service call into some remote system.

## in your model
class User < ActiveRecord::Base

  def has_role? role, obj=nil
    role == :admin  &&
      obj == school &&
      school[:admin] == id  # <-- just making up how we know we're the admin of the remote school
    end
  end

  def school
    @school ||= School.get_by_user_id(id)
  end
end

## in your controller
class SomeController < ApplicationController
  before_action :set_school

  access_control do
    allow :admin, of: :school
  end

  private
  def set_school
    @school = School.get_by_id(params[:school_id])
  end
end
回复 原文
~没有更多了~

关于作者

傲性难收

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

佚名

文章 0 评论 0

羁客

文章 0 评论 0

天天爱笑的徐老师

文章 0 评论 0

文章 0 评论 0

夏日落

文章 0 评论 0

隐诗

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文