README.rdoc in declarative_authorization-0.4 vs README.rdoc in declarative_authorization-0.4.1
- old
+ new
@@ -1,26 +1,21 @@
= Declarative Authorization
The declarative authorization plugin offers an authorization mechanism inspired
-by _RBAC_. The most notable distinction to existing authorization plugins is the
-declarative authorization approach. That is, authorization rules are not
+by _RBAC_. The most notable distinction to other authorization plugins is the
+declarative approach. That is, authorization rules are not defined
programmatically in between business logic but in an authorization configuration.
-Currently, Rails authorization plugins only provide for programmatic
-authorization rules. That is, the developer needs to specify which roles are
+With programmatic authorization rules, the developer needs to specify which roles are
allowed to access a specific controller action or a part of a view, which is
-not DRY. With a growing application code base and functions, as it happens
-especially in agile development processes, it may be decided to introduce new
-roles. Then, at several places of the source code the new group needs to be
-added, possibly leading to omissions and thus hard to test errors. Another
-aspect are changing authorization requirements in development or
-even after taking the application into production. Then, privileges of
-certain roles need to be easily adjusted when the original assumptions
-concerning access control prove unrealistic. In these situations, a
-declarative approach as offered by this plugin increases the development
-and maintenance efficiency.
+not DRY. With a growing application code base roles' permissions often
+change and new roles are introduced. Then, at several places of the source code
+the changes have to be implemented, possibly leading to omissions and thus hard
+to find errors. In these cases, a declarative approach as offered by decl_auth
+increases the development and maintenance efficiency.
+
Plugin features
* Authorization at controller action level
* Authorization helpers for Views
* Authorization at model level
* Authorize CRUD (Create, Read, Update, Delete) activities
@@ -35,10 +30,14 @@
* User objects need to respond to a method :role_symbols that returns an
array of role symbols
See below for installation instructions.
+There is a decl_auth screencast by Ryan Bates, nicely introducing the main concepts:
+http://railscasts.com/episodes/188-declarative-authorization
+
+
= Authorization Data Model
----- App domain ----|-------- Authorization conf ---------|------- App domain ------
includes includes
@@ -73,11 +72,11 @@
A fully functional example application can be found at
http://github.com/stffn/decl_auth_demo_app
Details on the demonstrated methods can be found in the API docs, either
-generated yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
+generated by yourself or at http://www.tzi.org/~sbartsch/declarative_authorization
== Controller
If authentication is in place, there are two ways to enable user-specific
access control on controller actions. For resource controllers, which more
@@ -217,11 +216,11 @@
As access control on read are costly, with possibly lots of objects being
loaded at a time in one query, checks on read need to be actived explicitly by
adding the :include_read option.
-=== Query rewriting using named scopes
+=== Query rewriting through named scopes
When retrieving large sets of records from databases, any authorization needs
to be integrated into the query in order to prevent inefficient filtering
afterwards and to use LIMIT and OFFSET in SQL statements. To keep authorization
rules out of the source code, this plugin offers query rewriting mechanisms
through named scopes. Thus,
@@ -240,11 +239,12 @@
the conditions for manual rewrites.
== Authorization Rules
-Authorization rules are defined in config/authorization_rules.rb. E.g.
+Authorization rules are defined in config/authorization_rules.rb
+(Or redefine rules files path via +Authorization::AUTH_RULE_FILES+). E.g.
authorization do
role :admin do
has_permission_on :employees, :to => [:create, :read, :update, :delete]
end
@@ -322,12 +322,11 @@
declarative_authorization provides a few helpers to ease the testing with
authorization in mind.
In your test_helper.rb, to enable the helpers add
- require File.expand_path(File.dirname(__FILE__) +
- "/../vendor/plugins/declarative_authorization/lib/maintenance")
+ require 'declarative_authorization/maintenance'
class Test::Unit::TestCase
include Authorization::TestHelper
...
end
@@ -449,11 +448,11 @@
All bang methods throw exceptions which may be used to retrieve more
information about a denied access than a Boolean value.
-== Authorization Browser
+== Authorization Development Support
If your authorization rules become more complex, you might be glad to use
the authorization rules browser that comes with declarative_authorization.
It has a syntax-highlighted and a graphical view with filtering of the current
authorization rules.
@@ -466,11 +465,13 @@
Then, point your browser to
http://localhost/authorization_rules
The browser needs Rails 2.3 (for Engine support). The graphical view requires
Graphviz (which e.g. can be installed through the graphviz package under Debian
-and Ubuntu) and has only been tested under Linux.
+and Ubuntu) and has only been tested under Linux. Note: for Change Support
+you'll need to have a User#login method that returns a non-ambiguous user
+name for identification.
= Help and Contact
We have an issue tracker[http://github.com/stffn/declarative_authorization/issues]
@@ -487,21 +488,13 @@
sbartsch at tzi.org
= Contributors
-Thanks to
-* Eike Carls
-* Erik Dahlstrand
-* Jeroen van Dijk
-* Jeremy Friesen
-* Brian Langenfeld
-* Georg Ledermann
-* Geoff Longman
-* Olly Lylo
-* Mark Mansour
-* Thomas Maurer
-* Mike Vincent
+Thanks to John Joseph Bachir, Eike Carls, Kai Chen, Erik Dahlstrand,
+Jeroen van Dijk, Sebastian Dyck, Jeremy Friesen, Daniel Kristensen, Brian Langenfeld,
+Georg Ledermann, Geoff Longman, Olly Lylo, Mark Mansour, Thomas Maurer,
+Mike Vincent
= Licence
Copyright (c) 2008 Steffen Bartsch, TZI, Universität Bremen, Germany