Lockdown - lockdown is gem, but variables are held in Lockdown::System as instance vars - Stonean

lockdown is gem, but variables are held in Lockdown::System as instance vars

Added by dan s 76 days ago

My question is that I am using the plugin. Its great, but is it not a flaw that
the gem holds public_access rights as instance var, which
all rails application on one machine are accessing at the same time.

I have modified the gem to make model level permissions, 

 by storing lambda's  that you create and the system uses to filter model in question 

  and select only the model instances that you have rights for.

 But these lambda's can not be stored in the session, so I 

 access model permissions with method that goes into Lockdown::System and 

finds the lambda's for that model when requested from the @permissions hash.

 Anyway .. there is room for discussion there. 
and model permissions  or lamdas in @permissions[:model].

this works .. but could be improved,

also I found a bug where this method ( standard_authorized_user_rights )

def standard_authorized_user_rights

      Lockdown::System.public_access + Lockdown::System.protected_access 

end

def standard_authorized_user_rights

      Lockdown::System.public_access

end

was passing back all rights both public and protected.  How did lockdown ever work with 

this bug, I am not sure?

Anyway .. I like the flexibility not having the put code in the view to block links. Its really nice to hijak link_to that way.

~ Daniel

Replies

RE: lockdown is gem, but variables are held in Lockdown::System as instance vars - Added by Andrew Stone 76 days ago

Hey Daniel,

Thanks for the feedback. The standard_authorized_user_rights is correct as is. This represents access that all users get once they log in. Lockdown defines protected access as rights all authenticated users will get. Think of it as a baseline of access rights.

As you will see in the controller, if the session hasn't been initialized it is populated as such:

session[:access_rights] ||= Lockdown::System.public_access

This is to allow non-authenticated (aka public visitors) access.

The instance vars represent the rules defined in init.rb. These don't change per user and each rails application will have it's own instance so there is no issue there.

I would like to see what you've done with model access. I've been toying around with that idea, but have yet to come up with a good design.

thanks,
andy