Reputation: 59
Where to handle user rights: in view, model or controller?
I'd like to have 3 users' groups: admins, managers and engineers. An admin can see all the objects, can change which group a user belongs and so on. A manager can see his stuff and his engineers' stuff. An engineer can see his own stuff only. The question is where to place all the logic: in a view, in a controller or in a model. I'm going to make a session helper "current_user_right_on(stuff)" and check the rights in the view:
if current_user_right_on(stuff) == view
show_stuff
if current_user_right_on(stuff) == change
show_edit_controls
end
end
What is the common way to do such things? What is the rule of thumb?
UPDATE So, now I have in the controller
def index
if logged_in?
if current_user.admin?
@stuff = Stuff.all
else
@stuff = Stuff.stuff_user_can_see(current_user)
end
else
@stuff = Stuff.where( <anyone can see> )
end
end
And in the model I have method "stuff_user_can_see(user)" which selects appropriate records from the database.
What should I improve here?
Upvotes: 1
Views: 164
Answers (2)
Reputation: 5120
It is currently considered a best practice to keep authorization logic at the controller level. This way, your view remains the same regardless of what role the user is because the instance variable it gets passed (e.g., @stuff) is already filtered to only show that data for which he is authorized. This will also make it easier to add an API later on if desired since the authorization logic in the controller could be reused.
I would recommend that you first learn how to roll your own authorization before attempting to integrate a third-party authorization gem. Otherwise, you will be kind of confused as to how the gem works because you won't know what it is doing. I would check out the authorization section from Michael Hartl's Rails Tutorial book. Everything you're wanting to know is in there and explains it better than I could here.
Upvotes: 2
Reputation: 4545
The best answer to this question is to use a pre-existing gem that implements some form of role-based authorization. That will provide the helpers and model level tools, as well as examples of best practices. You can find a list of such gems here - https://www.ruby-toolbox.com/categories/rails_authorization .
Upvotes: 0
Related Questions
- Rails: Handling permissions for individual tables and composite views concisely
- Rails roles and permissions - how do I do it right?
- Manage user permission with an instance variable or in a helper
- Rails permissions: different types of permissions to different models
- User permissions in Rails app
- In Rails, what's the best practice for authorizing a user's access to a model?
- Best way to do permissions checks in controllers.
- Where to put user access controls? The controller or the model?
- When and where to implement ACL
- What's the best way to implement ACLs to a Rails application?