I'm wondering about the best way to structure authentication/authorization in my app. I want to have
many company accounts, possibly using subdomains
account has many users
and users can only access records that were created by themselves or another user with the same account.
The research I've done provides lots of mix n' match ideas for combining devise / cancan / authlogic in weird and wonderful ways, but I've yet to find anything which shows me the best way to restrict user access to data within the same model.
So for instance:
Account 1: Eurasia
User 1: Bob
User 2: Jim
Account 2: Eastasia
User 1: Dave
User 2: Alan
Isbn 1: account_id is 1
Isbn 2: account_id is 2
How do I make sure Bob can't access or crud Isbn 2?
///update Of course, now I've posted this, my google fu has kicked in and I've found the readme from RyanB for CanCan 2.0, which seems perfect:
> Resources
What if you need to change authorization based on a model's attributes? You can do so by passing a hash of conditions as the last argument to can. For example, if you want to only allow one to access projects which he owns you can set the :user_id option.
I'd suggest using CanCan for authorization.
Your Ability model would look something like
can :manage, :isbn do |isbn|
isbn.account == current_user.account
end
Then you can use conditionals like can? :manage, @post in your Controller/Views.
You should have a look at https://github.com/stffn/declarative_authorization I think that one do exactly as you're asking for (you can limit access to certain records)
so, in your example you could set up the authorization with something like this:
has_permission_on :isbn do
to :manage
if_attribute :account_id => is_in {user.account_ids}
end
Have you looked at XACML? It's a policy-based, declarative framework for authorization. It's also a standard from OASIS.
With XACML you can take any attributes you need (user, resource, action, or context attributes) and express the use case that you have.
Your initial requirement was
users can only access records that were created by themselves or another user with the same account.
In XACML that would become the following policy:
A user can access a record if and only if the record.owner==user.id OR user.accountId==record.accountId
That's all! XACML's architecture defines the policy enforcement point (PEP) which is the component that protects your app/data and sends the authorization request to the policy decision point (PDP). The PEP says: "Can Alice access record #123?" The PDP checks Alice's account Id and the record's account id as well as owner. The PDP eventually returns a "Permit" or a "Deny".
HTH
来源:https://stackoverflow.com/questions/6655275/rails-3-company-account-with-many-users-restrict-access-to-data