Comments on: Roles Testing For Security http://www.pathf.com/blogs/2008/10/roles-testing-for-security/ Running commentary about agile development, user experience design and Ajax. Fri, 05 Mar 2010 19:33:43 -0600 http://wordpress.org/?v=2.8.4 hourly 1 By: Jo Hund http://www.pathf.com/blogs/2008/10/roles-testing-for-security/comment-page-1/#comment-3607 Jo Hund Sun, 12 Oct 2008 23:03:06 +0000 http://www.pathf.com/blogs/?p=1193#comment-3607 Hi, I like your idea of using block helpers to limit access to certain parts of a view. I describe an alternative approach to checking permissions at the ActiveRecord level in my post <a href="http://clearcove.ca/blog/2008/08/recipe-restful-permissions-for-rails/" rel="nofollow">RestFul permissions in Rails</a> Hi,

I like your idea of using block helpers to limit access to certain parts of a view.

I describe an alternative approach to checking permissions at the ActiveRecord level in my post RestFul permissions in Rails

]]> By: grosser http://www.pathf.com/blogs/2008/10/roles-testing-for-security/comment-page-1/#comment-3596 grosser Sat, 11 Oct 2008 17:54:26 +0000 http://www.pathf.com/blogs/?p=1193#comment-3596 Nice and usable idea, but it can be even simpler and chainable too def admin? current_user and current_user.admin? end if admin? xxx end Thing.create_from_params_if_user_can(current_user, params[:thing]) why should all things know about the user, let the user know what he can or cannot, so the knowledge is at one place(and mostly the logic is the same, so everything can be handled in an case statement) Thing.create(params[:thing]) if current_user.can_create?(Thing) and in the views, the new link is only shown if the user can create this thing The idea is outlined here: http://pragmatig.wordpress.com/2008/06/29/separate-rights-management-from-controllers/ and some helpers that are based on this concept here: http://pragmatig.wordpress.com/2008/07/09/generic-smart-link_to_s-link_to_edit-link_to_destroy/ Nice and usable idea, but it can be even simpler and chainable too

def admin?
current_user and current_user.admin?
end

if admin?
xxx
end

Thing.create_from_params_if_user_can(current_user, params[:thing])

why should all things know about the user, let the user know what he can or cannot, so the knowledge is at one place(and mostly the logic is the same, so everything can be handled in an case statement)

Thing.create(params[:thing]) if current_user.can_create?(Thing)

and in the views, the new link is only shown if the user can create this thing

The idea is outlined here: http://pragmatig.wordpress.com/2008/06/29/separate-rights-management-from-controllers/
and some helpers that are based on this concept here: http://pragmatig.wordpress.com/2008/07/09/generic-smart-link_to_s-link_to_edit-link_to_destroy/

]]>