Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve been testing Rails last months and it rocks !
But i have aproblem with how to do RLS ( Row level security ) which is crucial for me.
I thought i should use ActiveRecord Callbacks but they just can be fired before or after an alteration of the object state, as they say.
I’m going to use PostGresSQL so i should use Views to allow a particular user / organization to see only his rows but i would rather implement the logic of my RLS in rails instead of putting it in my DB directly …
I’m working on a project now that uses Grant. Though it’s not incredibly mature, it does seem to lock things down quite nicely in the models rather than in the controllers, which is where most other ‘security’ modules for Rails require you to put logic.
Controller-level security really only dictates where users can go, not what they can see. If you accidentally put the wrong resource on a page, you might inadvertently leak info you didn’t mean to.
That said, for a small project I’m using CanCan, and it works well as long as you’re careful not to include resources in views that aren’t checked.
Either way you’ll need an authentication system to log users in and out. There are a few: Devise is probably the most widely used.