#9 ✓invalid
Brian Langenfeld


Reported by Brian Langenfeld | February 12th, 2009 @ 10:14 AM

Wrote something I think could be nice to add to our little project... it's an "acts_as" macro that really DRY's up controllers, while at the same time baking in declarative_authorization for security filtering. Check out the rdoc I wrote, and let me know your thoughts... I think something like this might give us a really nice bump.

If you want to take a closer look, see my fork. :-)


Macro for generating filters that automagically check authorization rules and load
appropriate resource instance variables.  Also generates default handlers for the seven basic
RESTful actions: +[ :index, :show, :new, :create, :edit, :update, :destroy ]+.

In its default configuration, +acts_as_resource_controller+ will take a guess at the resource
class being dealt with by the calling controller class, and generate actions and security
filters for the seven basic RESTful actions listed above.

However, +acts_as_resource_controller+ can be configured to support nested resources and set
up security, resource loads, and default behavior for any number of actions.  (See the
documentation for +Options+ for more details.)  As with any other Ruby class, any default
action methods set up by +acts_as_resource_controller+ may be overridden as desired.  The
overrides will still enjoy the security filters and object loading provided for free by the


This call generates everything you need in a RESTful controller for a non-nested
resource.  All seven basic RESTful actions are generated with declarative_authorization
security baked into the load methods used to populate the collection (@posts) or member
(@post) instance variables, as appropriate.  DRY as a bone!

class PostsController < ApplicationController

Here, we're setting up the controller to deal with a nested resource.  Everything in the
previous example is true here as well, plus the parent resource (@post) is loaded and
used as a context for loading the collection (@replies) or member (@reply) instance
variables, as appropriate.  (In other words, the declarative_authorization calls look
like +permitted_to!( :read, @post.replies )+, and calls to +find+ using +ObligationScope+
look like +@post.replies.with_permissions_to( :edit )+.)

class RepliesController < ApplicationController
  acts_as_resource_controller do |options|
    options.parent_class = Post

If your RESTful actions need to do more than what +acts_as_resource_controller+ provides
by default, simply override them.  The new method definition will still be protected by
the security filters set up by +acts_as_resource_controller+, and the appropriate
instance variables will still be accessible, as expected.

class PostsController < ApplicationController

  def show
    @post.last_shown_at = Time.now

Finally, if your action needs are less or more than the seven basic RESTful actions
provided by default, you can configure +acts_as_resource_controller+ to generate default
handlers for any collection and member actions you wish.  All of the generated actions
are very basic, but again, security filters and instance variables are baked right in.

class PetsController < ApplicationController
  acts_as_resource_controller do |options|
    options.member_actions = [ :show, :new, :create, :brush ]
    options.collection_actions << :feed

  def brush

  def feed
    dog_food = Food.find_by_animal( :first, 'dog' )
    @pets.each { |pet| pet.feed(dog_food) && pet.save }

For a complete list of all configuration options, see the documentation for +Options+.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

By now, decl_auth is using the GitHub issue tracker as well. Please use the one over there: http://github.com/stffn/declarative_authorization/issues

People watching this ticket