Not logged in (Log in or Sign up)

unwwwritten

Authentication, publication and lockification

Posted August 19th, 2008 at 6:58 am PDT by S. Brent Faulkner — View Comments

Not much to talk about here... although I'm sure I'll come up with more about these topics in a future post (especially user authentication).

For now, this is just a quick status update. A few other things on the list that I've "done" already are...

  • user authentication with admin and author roles
  • published and unpublished blog posts
  • lock blog posts to prevent further comments

User authentication is taken care of using restful-authentication by Rick Olson (aka technoweenie).

On top of the authentication is a really simple role system. In my application controller I added:

class << self
  def require_role(*roles)
    options = roles.last.is_a?(Hash) ? roles.pop : {}
    method_name = roles.collect { |role| role.titleize.gsub(/ /, '').underscore }.join('_or_') + "_role_required"
    define_method(method_name) { access_denied and return false unless logged_in? && current_user.roles.any? { |r| roles.include?(r.name) } }
    before_filter method_name.to_sym, options
  end
end

Then, in any controller where I want to secure things I add something like the following:

before_filter :login_required, :except => [ :index, :show, :summary ]
after_filter :store_location, :only => [ :index, :show, :summary ]
require_role 'Author', :only => [ :new, :create ]

The before_filter makes sure the user is logged in for anything other than viewing the posts, and the after_filter remembers where we are for unauthenticated pages (so that we can return to them if the user does log in).

The require_role is the magic that we added to the application controller. It installs a before filter which checks that the current user has the specified roles.

Publication and locking of posts doesn't really deserve a separate post (yet). For now, they are simply booleans that indicate whether a post is visible and whether comments are allowed. In a future enhancement, publication will be enhanced to support date triggered publication (and maybe expiry). Also, when comments are locked, the author should probably still be allowed to comment on the post (or user comments) — I'll probably deal with that later too.

Cheers.

blog comments powered by Disqus