These days I’ve working in a new Authorization Framework for Rails Station.
After trying with ACLs and suffering from some scalability issues, the final version seems to be stable.
Like previous versions, you can protect your controller actions using authorization_filter
class PostsController
authorization_filter :read, :post, :only => [ :show ]
endAuthorization is defined in each model using authorizing declarations:
class Post
authorizing do |user, permission|
# Allow all actions to the author of the Post
if user == agent
true
end
end
end
You can define and chain all the authorizing declarations you need. These declarations build an authorization chain, which is evaluated from the first one until one of the declarations returns true or false.
This is the response you get when calling:
post.authorize? :read, :to => user
Station comes with two default declarations:
- When a model
acts_as_stage, the authorization queries will look for the permissions of the role the user is playing in the Stage - When a model
acts_as_content, the authorization will query the Container
You can check the documentation for more information about authorization in Station
Rails Station 