Authorisation
See original GitHub issueHi,
So I have got an application that has the following authorisation roles:
- Admin
- Owner
- Member
- Manager
And my application has to serve multiple clients. So each user has a role that is scoped to a particular client. Classic multi-tenant app.
I have this initialiser:
config.authorization_method = Proc.new { |controller, action, resource| datatable_authorization_method(controller, action, resource) }
And this on my application controller:
def datatable_authorization_method(controller, action, resource)
datatable = controller.instance_variable_get(:@datatable)
return true if datatable.blank? # We are in one of our own controllers; so permissions are handled in BaseController.
return true if datatable.attributes[:require_role].blank?
# We are in Effective::DatatablesController
case datatable.attributes[:require_role]
when :owner
return current_user.account_owner?(current_account)
when :admin
return current_user.account_admin?(current_account)
when :manager
return current_user.account_manager?(current_account)
when :member
return current_user.account_member?(current_account)
else
raise NotImplementedError.new
end
And I instantiate an effective datatable like this:
def index
@contracts_table = ContractsDatatable.new(self, account_id: current_account.id, require_role: :manager)
end
And it works fine, so far. But I think it is a little bit hacky to have that datatable = controller.instance_variable_get(:@datatable)
. I was wondering if the @datatable
could be one of the arguments that are passed to the authorization_method
. So that it would be like this:
config.authorization_method = Proc.new { |controller, action, resource, datatable| datatable_authorization_method(controller, action, resource, datatable) }
That way I can be confident that it will not break. What do you think? Or if you could suggest a different alternative.
Issue Analytics
- State:
- Created 6 years ago
- Comments:9 (9 by maintainers)
Top Results From Across the Web
Authorisation Definition & Meaning - Merriam-Webster
The meaning of AUTHORISATION is British spellings of authorization.
Read more >AUTHORIZATION | English meaning - Cambridge Dictionary
official permission for something to happen, or the act of giving someone official permission to do something: Medical records cannot be ...
Read more >Authorization - Wikipedia
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general ...
Read more >Authorise vs. authorize
For the verb meaning to grant authority or to give permission, authorize is the standard spelling in American and Canadian English. Authorise is...
Read more >Authorisation - Definition, Meaning & Synonyms
noun. official permission or approval. synonyms: authority, authorization, sanction · noun. a document giving an official instruction or command. synonyms: ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I just tried to replicate that scenario. I logged in as an admin and went to a page with a datatable that only a admin should be able to see. Then, in a different tab, I logged in as a member. A member should not be able to see the datatable. I tried making search – ajax query – on the admin table and I got a
Can't verify CSRF token authenticity
. So the Datatable sends Rails’s CSRF token but fails to validate.So perhaps the scenario is not possible.
Excellent, sounds good 😃
Thanks!