Over the past few years, I have been refining a security system for RubyOnRails. I've used it in every Rails app I've ever written. However there aren't many similarities between this public release and the older versions as a lot of refactoring has been done over time.
The original reason behind Lockdowns creation was twofold:
- The existing security systems worked off of the principle "allow all access unless restricted". I think that is the opposite of how a security system should work. Therefore, Lockdown works off of the principle "restrict all access unless allowed".
- It was not possible to administer the security rules via an user interface, it was all code based. This posed two issues for me:
- I had to modify code in order to add rules/change access. Yuck. I like management screens (they aren't required with Lockdown, just an option).
- The systems I saw required code to be placed in each of the controllers to defined the access for that controller. Code everywhere. Yuck again. I wanted a central place to manage my access rules.
So I built what I wanted and all was looking pretty good until I ran into RSpec. This threw a big cold bucket of water on the DRYness I try to achieve. Since tests worked off of the test database and migrations were excluded (only structure), that meant I would have to redefine all my security rules as mock objects. That goes way beyond a Yuck! to #uck!. I simply refused to do this extra work (repeatedly). So I went about refactoring Lockdown to play nice in this situation.
Where it was fully dependent on the database, it is now more code based and the init.rb file is only place to define Permissions and the main place to define UserGroups. This means you don't have to redefine your Permissions or UserGroups for your tests. Now I'm back on track...
I then made the decision to really focus on releasing this to the community. I had always intended on doing this but realized it needed more work to simplify the installation and use. I won't bore you with the stages, but I will just say that there were a few.
I think the community will benefit from Lockdown as much as Lockdown will benefit from the community. So, kick the tires, take it for a spin and let me know what you think.
There is a google group setup for your questions.
Right now, it's really focused on RubyonRails. However, it is architected for Merb support, I just haven't completed it. A Merb release will be coming soon.
thanks,
andy
1 comments:
Very interesting flip of the common wisdom. I'm thinking through my custom security framework (don't worry, I rock it old school in Java) and I generally return boolean false from isAllowedToAccess() unless I've specified it's a public page or the person's on the acl. But I didn't really realize as much until you mentioned it. Interesting approach... I hope it takes off!
Post a Comment