Chapter 7. Basic access control

 

This chapter covers

  • Adding an authorization flag to a database table
  • Locking down access based on a database flag

As your application now stands, anybody, whether they’re signed in or not, can create new projects. As you did for the actions in the TicketsController, you must restrict access to the actions in the ProjectsController. The twist here is that you’ll allow only a certain subset of users—users with one particular attribute set in one particular way—to access the actions.

You’ll track which users are administrators by putting a boolean field called admin in the users table. This is the most basic form of user authorization, which is not to be confused with authentication, which you implemented in chapter 6. Authentication is the process users go through to confirm their identity, whereas authorization is the process users go through to gain access to specific areas.

7.1. Projects can be created only by admins

To restrict the creation of projects to admins, you alter the existing Background in features/creating_projects.feature and insert the following listing as the first three lines.

Listing 7.1. features/creating_projects.feature

This listing creates a user. The Background should now look like the following listing.

7.2. Adding the admin field to the users table

 
 

7.3. Restricting actions to admins only

 
 
 

7.4. Namespace routing

 
 

7.5. Namespace-based CRUD

 
 
 
 

7.6. Creating admin users

 
 

7.7. Editing users

 
 
 

7.8. Deleting users

 
 
 
 

7.9. Summary

 
 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage