4

I'm looking for a plugin that provides a role based authorization mechanism for securing read/write access to attributes. I'm picturing something along the lines of declarative_authorization for white listing attributes of model objects. I've spent some time looking around but have come up short, does anyone know of anything?

EDIT: I'm using declarative_authorization to control which users have access to what actions in the controller, but I need something similar that provides access control to the attributes of each model object. I'm trying to prevent information leakage through the web API or users from crafting malicious posts. I can do this through the mass_assignment_authorizer but I was hoping some plugin did this already.

MrEvil
  • 7,785
  • 7
  • 36
  • 36
  • maybe cancan, dont know if it's support secure read/write – Petya petrov Mar 22 '11 at 06:42
  • There is an old list of rails authorization plugin here: http://steffenbartsch.com/blog/2008/08/rails-authorization-plugins/. Note that it does not list cancan, but according to your post, it looks like you want security at the model level, which cancan does not support as far as I know. – plang Mar 22 '11 at 06:59
  • possible duplicate of [Protect sensitive attributes w/ declarative_authorization](http://stackoverflow.com/questions/5269333/protect-sensitive-attributes-w-declarative-authorization) – MrEvil Mar 29 '11 at 18:20

2 Answers2

1

CanCan Branch 2.0

https://github.com/ryanb/cancan/tree/2.0

Edit:

The continuation of CanCan is called CanCanCan.

See https://github.com/bryanrite/cancancan

kgpdeveloper
  • 2,099
  • 4
  • 25
  • 34
jrhicks
  • 14,759
  • 9
  • 42
  • 57
0

What about creating a model / controller pair for each controller, and then allowing each role only to access methods in its controller(s)? Then you can make a before_filter in each controller that makes sure each user has permission to use methods in that controller.

fengolly
  • 503
  • 3
  • 8
  • +1 @charlie - Good idea of getting started for your own permission based controll system. – Surya Mar 22 '11 at 10:00