Home/ Questions/Q 7191689
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T19:46:57+00:00

I am trying to implement a service with a public api which access control

  • 0

I am trying to implement a service with a public api which access control pattern is very similar to facebooks graph api. I am using the doorkeeper gem that allows me to do OAuth with Devise and also easily give permissions/scopes to access tokens.

So beyond that, I would need:
– access control based on the scope of the access token
– access control for different groups users on the platform (like privacy settings on facebook)
– access control has to be dynamic, cant assume fixed roles

No I did take a look at CanCan which seems to do role based access control, but it doesnt seem to incoorperate OAuth very easily, so that I ask myself whether it might be the best to just roll out my own system? Would it be the right way to basically do all the access control on the models then?

Do you have any other suggestions?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think CanCan can handle what you want. Since you haven’t provided specifics on what deems a user authorized, I will show you some methods I think will be helpful. The first thing I will say is that you can pass in any objects you want to your ability file. To do so, you do the following:

    def ApplicationController < ActionController::Base
  def current_ability
    @current_ability = CustomAbility.new(pass, in, anything, here)
  end
end

    In app/models you would when define custom_ability.rb:

    def CustomAbility 
  include CanCan::Ability

  def initialize(anything, you, want, here)
    ...
  end
end

    In this case, anything = pass, you = in, want = anything, here = here. In addition, you can call some methods on the resource you are authorizing. CanCan works by loading @resource_name and then entering the ability file to authorize. It loads @resource_name by assuming RESTful routes, but you can easily use a before_filter to load your own resource, as long as you store it in @resource_name (i.e. store a User in @user).

    You can also call certain methods on the object you are authorizing already created parameters. For instance, you may want to do something like this:

    def initialize(user)
  can :read, Post do |post|
    !((post.readable_groups & user.groups).empty?)
  end
end

    Basically, if a line in that block returns false then you become unauthorized. The only caveat is that the block is not executed on create or new. There are ways around this. For instance, lets say you enforced one post per user in the model level with uniqueness validations. You could use a before filter to load the post setting the user_id, and then do

    can :create, Post, valid?: true

    Anyway, hope that helps.

    • 0