[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.ruby

how to pass user credentials to all layers of ruby/rails

Kairi Zikpin

6/29/2006 12:57:00 AM

Hi all,
I'm fairly new to Ruby/Rails but not new to development.

In Java and .NET I can associate user logon credentials with the active
thread (or thread local for Java) so that all layers of my application
can have access to this without the need to pass it around as parameters.

Can the same be done in Ruby/Rails?

eg, user logs on with employee privileges. I want the service layer
(model) and the controller to have access to those privileges, so I need
a central location to store it such that both layers can access to it.

thx in advance
Kairi
6 Answers

Michael W. Ryder

6/29/2006 1:29:00 AM

0

Kairi Zikpin wrote:
> Hi all,
> I'm fairly new to Ruby/Rails but not new to development.
>
> In Java and .NET I can associate user logon credentials with the active
> thread (or thread local for Java) so that all layers of my application
> can have access to this without the need to pass it around as parameters.
>
> Can the same be done in Ruby/Rails?
>
> eg, user logs on with employee privileges. I want the service layer
> (model) and the controller to have access to those privileges, so I need
> a central location to store it such that both layers can access to it.
>
> thx in advance
> Kairi

If there is a user record in the database you can set a session variable
to the id of the user record. From there you can read the information
from the database as needed. I used Agile Web Development with Rails
for a start on the authentication I used for a project I am working on.

Kairi Zikpin

6/29/2006 2:33:00 AM

0

Michael W. Ryder wrote:
> Kairi Zikpin wrote:
>> Hi all,
>> I'm fairly new to Ruby/Rails but not new to development.
>>
>> In Java and .NET I can associate user logon credentials with the
>> active thread (or thread local for Java) so that all layers of my
>> application can have access to this without the need to pass it around
>> as parameters.
>>
>> Can the same be done in Ruby/Rails?
>>
>> eg, user logs on with employee privileges. I want the service layer
>> (model) and the controller to have access to those privileges, so I
>> need a central location to store it such that both layers can access
>> to it.
>>
>> thx in advance
>> Kairi
>
> If there is a user record in the database you can set a session variable
> to the id of the user record. From there you can read the information
> from the database as needed. I used Agile Web Development with Rails
> for a start on the authentication I used for a project I am working on.
Thx for the quick response, Michael.

Does the model have access to session?
I do all of my domain (model) logic within ActiveRecord so if user info
is stored in session then I would need access to it from the Model objects

Michael W. Ryder

6/29/2006 7:17:00 PM

0

Kairi Zikpin wrote:
> Michael W. Ryder wrote:
>> Kairi Zikpin wrote:
>>> Hi all,
>>> I'm fairly new to Ruby/Rails but not new to development.
>>>
>>> In Java and .NET I can associate user logon credentials with the
>>> active thread (or thread local for Java) so that all layers of my
>>> application can have access to this without the need to pass it
>>> around as parameters.
>>>
>>> Can the same be done in Ruby/Rails?
>>>
>>> eg, user logs on with employee privileges. I want the service layer
>>> (model) and the controller to have access to those privileges, so I
>>> need a central location to store it such that both layers can access
>>> to it.
>>>
>>> thx in advance
>>> Kairi
>>
>> If there is a user record in the database you can set a session
>> variable to the id of the user record. From there you can read the
>> information from the database as needed. I used Agile Web Development
>> with Rails for a start on the authentication I used for a project I am
>> working on.
> Thx for the quick response, Michael.
>
> Does the model have access to session?
> I do all of my domain (model) logic within ActiveRecord so if user info
> is stored in session then I would need access to it from the Model objects


I placed the access to the session record and the user records in the
controller. I didn't try to place any of the logic in the model. As I
am trying to learn Rails while working on this project I just modified
an existing example. I assume that you will need some information in
the session record just to know which user is using which session.

Timothy Goddard

6/30/2006 7:14:00 AM

0

The model can't access the session. Model objects have no 'knowledge'
that they are being used as part of a web application. Active Record
can be used in any Ruby program. You'll have to use parameters,
although I would suggest avoiding mixing up web application specific
code and database code as much as possible.

Kairi Zikpin wrote:
> Michael W. Ryder wrote:
> > Kairi Zikpin wrote:
> >> Hi all,
> >> I'm fairly new to Ruby/Rails but not new to development.
> >>
> >> In Java and .NET I can associate user logon credentials with the
> >> active thread (or thread local for Java) so that all layers of my
> >> application can have access to this without the need to pass it around
> >> as parameters.
> >>
> >> Can the same be done in Ruby/Rails?
> >>
> >> eg, user logs on with employee privileges. I want the service layer
> >> (model) and the controller to have access to those privileges, so I
> >> need a central location to store it such that both layers can access
> >> to it.
> >>
> >> thx in advance
> >> Kairi
> >
> > If there is a user record in the database you can set a session variable
> > to the id of the user record. From there you can read the information
> > from the database as needed. I used Agile Web Development with Rails
> > for a start on the authentication I used for a project I am working on.
> Thx for the quick response, Michael.
>
> Does the model have access to session?
> I do all of my domain (model) logic within ActiveRecord so if user info
> is stored in session then I would need access to it from the Model objects

Kairi Zikpin

6/30/2006 11:10:00 AM

0

Timothy Goddard wrote:
> The model can't access the session. Model objects have no 'knowledge'
> that they are being used as part of a web application. Active Record
> can be used in any Ruby program. You'll have to use parameters,
> although I would suggest avoiding mixing up web application specific
> code and database code as much as possible.
>
> Kairi Zikpin wrote:
>> Michael W. Ryder wrote:
>>> Kairi Zikpin wrote:
>>>> Hi all,
>>>> I'm fairly new to Ruby/Rails but not new to development.
>>>>
>>>> In Java and .NET I can associate user logon credentials with the
>>>> active thread (or thread local for Java) so that all layers of my
>>>> application can have access to this without the need to pass it around
>>>> as parameters.
>>>>
>>>> Can the same be done in Ruby/Rails?
>>>>
>>>> eg, user logs on with employee privileges. I want the service layer
>>>> (model) and the controller to have access to those privileges, so I
>>>> need a central location to store it such that both layers can access
>>>> to it.
>>>>
>>>> thx in advance
>>>> Kairi
>>> If there is a user record in the database you can set a session variable
>>> to the id of the user record. From there you can read the information
>>> from the database as needed. I used Agile Web Development with Rails
>>> for a start on the authentication I used for a project I am working on.
>> Thx for the quick response, Michael.
>>
>> Does the model have access to session?
>> I do all of my domain (model) logic within ActiveRecord so if user info
>> is stored in session then I would need access to it from the Model objects
>

So how does one do access control in the model?

Suppose I want to use my model and its logic in a non rails application.
Do I need to duplicate all of the security code all over again?

I'm trying to avoid exactly that situation but it seems everywhere I
turn, security is being done strictly in the controller.

Has anyone out there seen or used or developed a way to have
authorization (access control) on model layer objects (not controllers)

Jim Crossley

6/30/2006 11:44:00 AM

0

Two things...

[...]

> In Java and .NET I can associate user logon credentials with the
> active thread (or thread local for Java) so that all layers of my
> application can have access to this without the need to pass it
> around as parameters.
>
> Can the same be done in Ruby/Rails?

Thread-specific storage in Ruby is accomplished using the [] operator,
e.g. Thread.current[:credentials] = User.new(un, pw)

[...]

> So how does one do access control in the model?
>
> Suppose I want to use my model and its logic in a non rails
> application. Do I need to duplicate all of the security code all
> over again?

Have a look at Bruce Perens' Model Security library:
http://perens.com/FreeSoftware/Mode...

Good luck,
Jim