Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add role based authorization #158

Closed
nicolas-besnard opened this issue Feb 19, 2015 · 4 comments
Closed

Add role based authorization #158

nicolas-besnard opened this issue Feb 19, 2015 · 4 comments

Comments

@nicolas-besnard
Copy link
Contributor

I know this is not the purpose of this gem, but if you had to implement it to work with ng-token-auth, how would you do that ?

I'm working on a project based on this Gem, and I will need authorization for the iOs / Android app and later, the website.
@lynndylanhurley
Copy link
Owner

My current approach has been as follows:

  1. Return a list of roles / permissions with the user object on validation. This will look something like this in the $auth.user object:

    {
  id: 1,
  // ...
  permissions: {
    // ...
    applications: {
      view: true,
      edit: false,
      destroy: false
    },
    // ...
}

  2. Define a permissions service on the client can check the user's permission object to determine their access to views / actions. This will look something like this when used in a template:

    <ul>
  <!-- ... -->
  <li ng-show="hasPermission('applications', 'view')">
    <a ui-sref='user.applications'>Applications</a>
  </li>
  <!-- ... -->
</ul>

  3. This is important - access to resources must be limited on the API as well as the client. We're using pundit for this.

This has been working for me in my apps, but I'm not sure if it can be generalized for every use case.

@pommerien
Copy link

Hi @lynndylanhurley, I just stumbled across the same requirement / issue. I understand your suggestion, however from an implementation standpoint I am struggling with (1). How does one modify the user object which is being returned by devise for both sign_in as well as validate_token? I am sure it has been asked before, but I could not find it. Basically in my case I have the "User" class and a "UserRole" class which roughly represents your "permissions" in the example above. So I would expect a return JSON object along these lines:
{
id: 1,
email: ...
//....
roles: [ phone_operator, printer_administrator ]
}

Any suggestions on how I tie in the relation?

@lynndylanhurley
Copy link
Owner

@pommerien - just override the token_validation_response in your User model. (You may need to update to the latest beta version for this to work. I'll push a new release ASAP).

The method to override is here.

@phs1919 phs1919 mentioned this issue Mar 3, 2015
Closed
@vs4vijay
Copy link

@lynndylanhurley overriding token_validation_response doesn't work, I had to override whole SessionController and TokenValidationsController for desired response.

cc: @pommerien

@real-ashwin real-ashwin mentioned this issue Sep 7, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vs4vijay @lynndylanhurley @nicolas-besnard @pommerien