Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rails4 authorization strategies

When it comes to Authorization/Authentication devise + cancan are usually my gems of choice. After the release of Rails4's strong parameters I've been looking into using the cancan_strong_parameters gem.

I can't shake the feeling that this approach seems a bit 'hacky'. The other options seems to be TheRole gem or simply rolling my own auth from scratch.

Was hoping anyone with first hand experience here could give a few pointers on how they tackled the problem, what problems the faced and where each approach fell short (if anywhere).

I know this isn't a clean cut StackOverflow typed question, but there doesn't seem to be much info regarding this subject when Googling. Thanks.

like image 468
8bithero Avatar asked Jul 13 '13 13:07

8bithero


People also ask

What is authorization in a Rails app?

Authentication is the process of verifying who you are. Authorization is the process of verifying that you have access to resources.

What is CanCan authorization?

CanCan is an authorization library for Ruby on Rails which restricts what resources a given user is allowed to access. All permissions are defined in a single location (the Ability class) and not duplicated across controllers, views, and database queries.

How does Csrf work in Rails?

Rails CSRF TokenThe server generates these tokens, links them to the user session, and stores them in the database. This token is then injected into any form presented to the client as a hidden field. When the client correctly submits the form for validation, it passes the token back to the server.


2 Answers

Have you read the discussion in PR 763 "support for strong_parameters"?

In short, until cancan 2 comes out, some people are using Oliver Morgan's fork.

like image 160
Jared Beck Avatar answered Oct 16 '22 12:10

Jared Beck


There's also the protector gem:

https://github.com/inossidabile/protector

And cancancan:

https://github.com/bryanrite/cancancan

like image 25
Joshua Muheim Avatar answered Oct 16 '22 11:10

Joshua Muheim