Kairi Zikpin
6/30/2006 11:10:00 AM
Timothy Goddard wrote:
> The model can't access the session. Model objects have no 'knowledge'
> that they are being used as part of a web application. Active Record
> can be used in any Ruby program. You'll have to use parameters,
> although I would suggest avoiding mixing up web application specific
> code and database code as much as possible.
>
> Kairi Zikpin wrote:
>> Michael W. Ryder wrote:
>>> Kairi Zikpin wrote:
>>>> Hi all,
>>>> I'm fairly new to Ruby/Rails but not new to development.
>>>>
>>>> In Java and .NET I can associate user logon credentials with the
>>>> active thread (or thread local for Java) so that all layers of my
>>>> application can have access to this without the need to pass it around
>>>> as parameters.
>>>>
>>>> Can the same be done in Ruby/Rails?
>>>>
>>>> eg, user logs on with employee privileges. I want the service layer
>>>> (model) and the controller to have access to those privileges, so I
>>>> need a central location to store it such that both layers can access
>>>> to it.
>>>>
>>>> thx in advance
>>>> Kairi
>>> If there is a user record in the database you can set a session variable
>>> to the id of the user record. From there you can read the information
>>> from the database as needed. I used Agile Web Development with Rails
>>> for a start on the authentication I used for a project I am working on.
>> Thx for the quick response, Michael.
>>
>> Does the model have access to session?
>> I do all of my domain (model) logic within ActiveRecord so if user info
>> is stored in session then I would need access to it from the Model objects
>
So how does one do access control in the model?
Suppose I want to use my model and its logic in a non rails application.
Do I need to duplicate all of the security code all over again?
I'm trying to avoid exactly that situation but it seems everywhere I
turn, security is being done strictly in the controller.
Has anyone out there seen or used or developed a way to have
authorization (access control) on model layer objects (not controllers)