Rails Authorization on Web Services

Question

My rails app is pretty much a front-end to several web services. I persist my User model, and that's about it. I need to add authorization to my web app, using Devise for authentication. I've noticed CanCan and acl9 seem to work mostly on instances of ActiveRecord models. Would CanCan or acl9 still fit my needs? Any tips on using either of these libraries in my situation?

Should I look for something that works more on actions instead of instances?

Also, these are both Role based systems, and I'm thinking of using a permission based system. Would they still be a good fit?

Answer 1

I can't speak for acl9. However, the cancan wiki does claim that "It is easy to make your own [model] adapter if one is not provided." https://github.com/ryanb/cancan/wiki/Model-Adapter In other words, even though you're not using ActiveRecord, you might still be able to use cancan.

Then again, if you're not planning on having roles, your ability definitions in cancan might be a little redundant looking, eg.:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)

    can :create, Widget if user.has_permission(:create_widgets)
    can :delete, Widget if user.has_permission(:delete_widgets)
    can :herp, Derp if user.has_permission(:herp_derp)
  end
end

It would be great if you could use cancan just for its controller action authorization methods, but I don't know if that's possible. Good luck.

Answer 2

Just to (finally :) answer for acl9.

Acl9 is composed of two very separate pieces, the Access Control Subsystem which is all the authorizing stuff you put in your controller, and the Role Subsystem which is setting/checking/removing roles from an authenticated user.

The only thing that the Access Control Subsystem ever calls is current_user.has_role?( role, obj=nil). So, the Role Subsystem has zero dependency on ActiveRecord, associations, database, etc. There is a helper (acts_as_authorization_subject) which adds an ActiveRecord-dependent has_role? method to a class, but that's entirely optional and you're free to implement your own has_role? method (which can also fallback to calling super to get the acl9 one) and implement your access checks however you please. So, you said that you do persist your user model, but let's say you want a role for your user to be the admin of a school, but that school is a web service call into some remote system.

## in your model
class User < ActiveRecord::Base

  def has_role? role, obj=nil
    role == :admin  &&
      obj == school &&
      school[:admin] == id  # <-- just making up how we know we're the admin of the remote school
    end
  end

  def school
    @school ||= School.get_by_user_id(id)
  end
end

## in your controller
class SomeController < ApplicationController
  before_action :set_school

  access_control do
    allow :admin, of: :school
  end

  private
  def set_school
    @school = School.get_by_id(params[:school_id])
  end
end