Reputation: 7396
When and where to implement ACL
I've got rails_authorization_plugin up and running with models.
What's the best way to implement permission checks on my site?
I have complicated conditions for when an instance of an object should be visible, is there an efficient way to chain them together so I'm not fetching multiple sets of data and grinding my DB as a result of looping over returned data to filter it?
Upvotes: 2
Views: 693
Answers (1)
Reputation: 2947
There is an efficient way: make sure you only run one query, and that the query you run returns exactly the objects you want. Easier said than done, of course.
One way to handle this is to construct your conditions using scopes.
@posts = @thread.posts.not_deleted.this_week.not_secret
If all those methods are scopes, that will be only one query.
If your conditions are too complex to easily make them scopes, you should probably just write a method to return the visible objects for the user.
class User
def posts_for(thread)
if is_admin?
thread.posts
elsif thread.owner == self
thread.posts.not_deleted
else
Post.find(:all, :conditions => something_complicated(thread, self))
end
end
end
My application has a lot of kinds of objects, and very complicated permissions, so we capture calls like that with method_missing, and route them to a permission library that knows how to make all the various queries.
Upvotes: 1
Related Questions
- Where should the authorization logic go in an api based application?
- Tips on Performing Rails User Authorization
- How to implement authorization?
- Where to handle user rights: in view, model or controller?
- Ruby Access Control - Specify with method or listed at ACL function?
- What are the best practices for authorization?
- User permissions in Rails app
- Rails ACL Design Question
- advice for structure and user access
- What's the best way to implement ACLs to a Rails application?