问题
I use devise for authentication and have assigned a role for each user. I have one more model posts which contain number of posts. I want to restrict one user of the role employee to view the specific post and the same user to view and create the different post. How can I do this?
回答1:
I realize I am late to the battle here.
What you are looking for is an extension to role-based access control. RBAC cannot cater well for your scenario. You need to consider attribute-based access control. CanCan and Devise are two language-specific frameworks that address attribute-based access control.
If you want a broader, more generic ABAC solution, then consider XACML, the eXtensible Access Control Markup Language, which is a standard defined by OASIS much like SAML is.
XACML gives you:
- attribute-based access control: attributes can be used to describe pretty much anything (users, objects, resources, context, time, actions...).
- policy-based access control: policies bring together attributes to define authorization. For instance employees can view the posts of employees in the same team and can edit posts they own.
- fine-grained access: it is possible to define very specific and granular authorization policies
- support for segregation of duty
- language-independent authorization: it works for Java, .NET, Ruby, Python, and more...
- centralized policy management
Here are some interesting resources to learn more:
- NIST RBAC model
- NIST ABAC model
- OASIS XACML website
回答2:
Check out this tutorial which specify the ability to define logic to control the user activity
https://github.com/EppO/rolify/wiki/Using-rolify-with-Devise-and-Authority
来源:https://stackoverflow.com/questions/12972280/how-can-a-user-with-same-role-access-different-posts-with-different-permissions