ruby on rails - Authorization in multi tenant app -


in railscasts episode 388 - multitenancy scopes, ryan adding default scope ensure security:

alternatively can use authorization library such cancan handle scoping isn’t designed multi-tenant apps , won’t solve problem well. 1 case it’s acceptable use default scope that’s we’ll do.

class tenant < activerecord::base   attr_accessible :name, :subdomain   has_many :topics end  class topic < activerecord::base   attr_accessible :name, :content   belongs_to :user   has_many :posts    default_scope { where(tenant_id: tenant.current_id) } end

my question is: want implement authorization (for example cancan) , define abilities these:

class ability   include cancan::ability    def initialize(user)     user ||= user.new # guest user (not logged in)     if user.admin?       can :manage, topic     else       can :read, topic     end   end end

does user have ability manage topics of tenants or within tenants scope?

or more general question: what's right method of authorization multi tenant applications?

you on right track using cancan, or cancancan since cancan deprecated, think.

i don't default_scope reason not threadsafe. user id stored in class variable, means 2 or more concurrent users in app break unless use unicorn or other web server makes sure no more 1 single client connection access same thread.

you should therefore use cancan.

class ability   include cancan::ability    def initialize(user)     user ||= user.new # guest user (not logged in)     if user.admin?       # user's own topics only:       can :manage, topic, user_id: user.id       # or, tenant       can :manage, topic, tenant_id: user.tenant.id if user.tenant # user belongs_to tenant       can :manage, topic, tenant_id: user.tenants.map(&:id) if user.tenants.any? # user has_many tenants     else       can :read, topic # can read topic.     end   end end

pick strategy need 3 examples above.

edit more complicated example multi-tenant admins @joshdoody's question in comments:

class admin < user; end  class tenantadmin   belongs_to :tenant   belongs_to :admin, class_name: user end  class ability   include cancan::ability    def initialize(user)     user ||= user.new # guest user (not logged in)     if user.admin?       can :manage, topic, tenant_id: tenantadmin.where(admin: user).map(&:tenant_id)     else       can :read, topic # can read topic     end   end end

now, might not performant like, general idea have tenantadmins able manage topics within tenants.

hope helps.


Comments

Post a Comment

Popular posts from this blog

php - SPIP: From Tag directly to an article -

i work spip , plugin called tagsphere works fine tags in spip. have tag groupe put 1 article tag. when click on tag in tagsphere send me before menu can see articles linked tag. want send me directly article without see tag menu before. here code model of thagsphere: <div id="tagsphere-#env{id_article}"> <ul> <boucle_mot(mots){id_groupe ?}> <li>[<a href="#url_mot">(#titre)</a>]</li> </boucle_mot> </ul> </div> anybody idea? if want skip tag page, have link directly article. <b_article> block prevents display tag if no article linked. <div id="tagsphere-#env{id_article}"> <ul> <boucle_mot(mots){id_groupe ?}> <b_article> <li> <a<boucle_article(articles){...
Read more

jquery - isAjaxRequest always return false -

i got error message 404,'model has not been saved' following code my action controller public function actionextend($id) { $model=$this->loadmodel($id); if(yii::app()->request->isajaxrequest) { $model->todate = date('y-m-d h:i:s a',(strtotime('next month',strtotime(date('y-01-d'))))); if($model->save()) { yii::app()->end(); } else { throw new chttpexception(404,'model has not been saved'); } } } the jquery call $("#buttonextend<?php echo $this->post_row;?>").click(function(e){ $.ajax({ type: "post", url: "<?php echo yii::app()->createurl('post/extend', array('id' => $data['id'])); ?>", }); }); why not ajax call ? thank help i found response, missed } , function ...
Read more

ruby on rails - In a controller spec, how to find a specific tag in the generated view? -

i know integration tests preferred need ran in controller test, i'm testing gem injecting html code in view, xhr can't run in feature spec (if can, please explain me how :) ) so rspec controller tests can assert selector present (with capybara) : response.body.should have_selector('#foobar') has_selector? call all method capybara find selector. what want last child of body , assert id in particular. afaik it's not possible have_selector. what : all('body:first-child').first.id.should == '#foobar' however, capybara dsl, defined (more or less): def all(*args) page.all(*args) end and page empty unless use visit it's integrations specs. how can use capybara all method inside rspec controller test ? i can't test right after googling seems trick def page capybara::node::simple.new(response.body) end source
Read more