Authorization gem for a multi-tenancy application?

Question

Are there are any authorization gems/examples for multi-tenancy applications?

I looked at CanCan and CanTango, but I wasn't able to find what I am looking for.

My app has Account, User, Relationship model. The relationship model has a relationship_type column which determines authorization level. Its value can be owner, moderator, editor, perhaps more in the future. Users can own/moderate many accounts, and an account can have many owners/moderators.

All the examples I found describe a single tenant application, whereas my app's authorization has to be scoped through the current account being viewed. A user can be a guest on one account and an owner of another, for example.

I'm starting to think my Relationship model is bad design and might have drawbacks, but I'm not sure what is a better alternative.

Answer 1

Try declarative_authorization, the authorization rules are defined in a single Ruby file using a DSL and you can define advanced rules based on objects' attributes and on the user role of course.

For example you can say something like this

role :moderator
  has_permission_on :accounts do
    to :manage
    if_attribute :moderators contains {user}
  end
end

declarative_authorization offer several methods you can use in models/controllers/views, for example in the account view you can use something like:

<% permitted_to? :update, @account do %>
  <%= link_to 'Edit account', edit_account_path(@account) %>
<% end %>

You can have a look at the documentation and at the RailsCasts episode.

Answer 2

CanCan can indeed handle this because it lets you define arbitrary ruls. Your ability file might look like this:

def initialize(user)

  can :read, BlogPost do |blog_post|
    blog_post.account == user.account and user.relationship.in?([:owner, :moderator])
  end

end