Improved granularity for access control

[nesquena]

onethirtyfive has an idea for access control explained by this code sample:

http://gist.github.com/380467

onethirtyfive mentioned forking the project and trying to implement this. I think it would be pretty cool! what do you guys think?

The basic idea is to have authorization scoped by controller named routes and the user's roles:

# app/config/access_control.rb
Padrino::Strategies.add(:admin) do |request, user, roles|
  # evaluated in the context of the request in the route
  # access to params, headers, @user, instance variables
  roles.include?(:admin) && request.params[:foo] == 'bar'
end

#  app/controllers/posts.rb
App.controllers :posts do
  # authorize_with :admin, :only  => :destroy
  post  :destroy, :with => :permalink, :authorize_with => :admin do
    @post = #  ...
    @post.destroy
  end
end

[DAddYE]

Mmm, premised: I love that!

One thing: that's not just possible? See here: http://gist.github.com/380870

Mine is a super basic implementation.

[onethirtyfive]

It's possible if you separate authentication from authorization. For the purpose of our example above, imagine that the strategy would be provided the request, a user, and that user's roles.

With that assumption, how does this look?

[DAddYE]

Yep basically if Im not wrong the big problem for you it's that: before { login_required }

I think then you don't have others problems if for example I'll give you more options like:

class Admin < Padrino::Application
   enable  :authorization
  disable  :authentication
end

Then I think some helpers can be useful for you like logged_in? or current_account

Consider that just now you can do that (require few code) so you can build your custom authorization/authentication module and then pickup only what you need.

class Admin < Padrino::Application
   set :session_id, :_padrino_appz
   enable :sessions
   helpers Padrino::Admin::Helpers::AuthenticationHelpers
   helpers Padrino::Admin::Helpers::ViewHelpers
end

What do you think?

[nesquena]

Should we keep this open Davide?

[DAddYE]

Okey

[pspeter3]

Has anything like this happened? I'm trying to use AccessControl right now and am still not very clear on how to use it. A DSL like that would be really helpful

[dariocravero]

I reckon something like this would be definitely useful. Authorisation becomes a big concern when your application grows and it would be great to have it out of the box.

We've been using Declarative Authorization for a long while, I've created a wrapper for it to work around it being tied to Rails. There're pros and cons with it. A big con would be that, AFAIK, it only works with ActiveRecord and that goes against Padrino's agnostic nature! On the other hand you can already use this on your model's callbacks for free and the DSL is great! :)

@nu7hatch took a good stab at the problem and implemented a very agnostic ACL called Aclatraz but at the time when we were choosing it wasn't quite straight forward for us to integrate it so we didn't go for it.

Perhaps the solution proposed by @onethirtyfive could be implemented and by adding some helpers as @DAddYE suggests we could get around with quite a nice authorisation schema for Padrino!

What do you think?

[ujifgc]

I'm working on standalone authentication and authorization modules for Padrino. It will be two independent modules, it won't be compatible with current padrino-admin access control. I will publish the code some time this week.

[namusyaka]

Great. I'm looking forward to your modules.

[nesquena]

@ujifgc awesome, look forward to those as well. Solid stand-alone authentication and authorization modules would go a long way for the framework.