how to pass user credentials to all layers of ruby/rails

K

Kairi Zikpin

Hi all,
I'm fairly new to Ruby/Rails but not new to development.

In Java and .NET I can associate user logon credentials with the active
thread (or thread local for Java) so that all layers of my application
can have access to this without the need to pass it around as parameters.

Can the same be done in Ruby/Rails?

eg, user logs on with employee privileges. I want the service layer
(model) and the controller to have access to those privileges, so I need
a central location to store it such that both layers can access to it.

thx in advance
Kairi
 
M

Michael W. Ryder

Kairi said:
Hi all,
I'm fairly new to Ruby/Rails but not new to development.

In Java and .NET I can associate user logon credentials with the active
thread (or thread local for Java) so that all layers of my application
can have access to this without the need to pass it around as parameters.

Can the same be done in Ruby/Rails?

eg, user logs on with employee privileges. I want the service layer
(model) and the controller to have access to those privileges, so I need
a central location to store it such that both layers can access to it.

thx in advance
Kairi
Click to expand...

If there is a user record in the database you can set a session variable
to the id of the user record. From there you can read the information
from the database as needed. I used Agile Web Development with Rails
for a start on the authentication I used for a project I am working on.
 
K

Kairi Zikpin

Michael said:
If there is a user record in the database you can set a session variable
to the id of the user record. From there you can read the information
from the database as needed. I used Agile Web Development with Rails
for a start on the authentication I used for a project I am working on.
Click to expand...
Thx for the quick response, Michael.

Does the model have access to session?
I do all of my domain (model) logic within ActiveRecord so if user info
is stored in session then I would need access to it from the Model objects
 
M

Michael W. Ryder

Kairi said:
Thx for the quick response, Michael.

Does the model have access to session?
I do all of my domain (model) logic within ActiveRecord so if user info
is stored in session then I would need access to it from the Model objects
Click to expand...


I placed the access to the session record and the user records in the
controller. I didn't try to place any of the logic in the model. As I
am trying to learn Rails while working on this project I just modified
an existing example. I assume that you will need some information in
the session record just to know which user is using which session.
 
T

Timothy Goddard

The model can't access the session. Model objects have no 'knowledge'
that they are being used as part of a web application. Active Record
can be used in any Ruby program. You'll have to use parameters,
although I would suggest avoiding mixing up web application specific
code and database code as much as possible.
 
K

Kairi Zikpin

Timothy said:
The model can't access the session. Model objects have no 'knowledge'
that they are being used as part of a web application. Active Record
can be used in any Ruby program. You'll have to use parameters,
although I would suggest avoiding mixing up web application specific
code and database code as much as possible.
Click to expand...

So how does one do access control in the model?

Suppose I want to use my model and its logic in a non rails application.
Do I need to duplicate all of the security code all over again?

I'm trying to avoid exactly that situation but it seems everywhere I
turn, security is being done strictly in the controller.

Has anyone out there seen or used or developed a way to have
authorization (access control) on model layer objects (not controllers)
 
J

Jim Crossley

Two things...

[...]
In Java and .NET I can associate user logon credentials with the
active thread (or thread local for Java) so that all layers of my
application can have access to this without the need to pass it
around as parameters.

Can the same be done in Ruby/Rails?
Click to expand...

Thread-specific storage in Ruby is accomplished using the [] operator,
e.g. Thread.current[:credentials] = User.new(un, pw)

[...]
So how does one do access control in the model?

Suppose I want to use my model and its logic in a non rails
application. Do I need to duplicate all of the security code all
over again?
Click to expand...

Have a look at Bruce Perens' Model Security library:
http://perens.com/FreeSoftware/ModelSecurity/

Good luck,
Jim
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to pass user input from gtk to a function ? 4
[ANN] SAMSUNG to produce "Ruby on Rails in Silicon" System on a Chip 1
I want to pass the name of a calling web page in a form in Ruby 1
How to get a browser information using only ruby without rails 2
how to pass info to a Rails Observer class? 0
TudbcGoWeb_RubyGoRails: easy Ruby on top of Rails 0
credentials/auth in Ruby SOAP libs? 0
JRubyHub.com: The hub to all JRuby and JRuby on Rails (JRoR)resources... 0

Members online

Total: 829 (members: 2, guests: 827)
Robots: 67

Forum statistics

Threads
474,208
Messages
2,571,079
Members
47,682
Latest member
TrudiConna

Latest Threads

Top