Delimiting Authentication & Authorisation #197
Unanswered
whysthatso
asked this question in
Q&A
Replies: 1 comment
-
While authorization needs differ from app to app, you would typically combine an authorization gem with Rodauth like you would with any other authentication framework. At a greenfield app I started working on, we have three different types of users, but for now they all share the same Rodauth configuration. Which parts of the app they can access is mostly independent from authentication here. The only exception is that while all three types of users will be able to use the mobile app (which authenticates on backend via JSON API), we want to restrict the web app only to "managers". I implemented that as follows: # allow only managers to authenticate on the web for now
account_from_login do |login|
if json_request?
super(login)
else
account = super(login)
account if account && Manager.exists?(account_id: account[:id])
end
end |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
trying to understand the threshold between authentication & authorization with rodauth-rails and would like your comment. i look at rodauth mainly through the lens of authentication, which i believe is the general understanding for its use.
however, when setting up multiple rodauth apps (i.e. user/admin/manager), and given the
current_account
pattern, i already have two dimensions of authorization, right? i have groups, and i have different members of groups.i'm now trying to think of scenarios that i could not implement with this simplistic authorization model:
I have to think about others, please add if you have specific use cases.
It's an age old moniker: authentication is who you are, authorization is what you can do. but when applying that to how rails and auth&auth gems are working, it's not as easy to delimit, i think.
what would be a good angle to look at it in terms of rodauth? is it advisable to combine it with a particularly fitting authorization gem? i came across some opinions that seemed to favor pundit, and recently i learned about action_policy. any other candidates, besides the usual cancancan, etc?
Beta Was this translation helpful? Give feedback.
All reactions