[openstreetmap/openstreetmap-website] Initial cut at authorization patterns (#1904)

Chris Flipse notifications at github.com
Sun Jun 17 18:23:04 UTC 2018

This is an initial run at adding a centralized authentication mechanism by the team from RubyForGood

During the pre-RubyForGood conversations, we converged on `CanCanCan`  because of it's centralized authorization configuration, the ability to ensure authorization happens with a single controller filter, and it's default-deny policy.

This PR represents a few initial passes at making this work within the existing system.  The basics of the authorization controls have been added to the application controller, and a small number of controllers have been shifted to the new system, to demonstrate a couple of different authorization scenarios:

For a controller that requires admin privledges, forcing a login for an unauthenticated user, while raising an error for an authenticated user who happens to not be an administrator.  The `Diary Entry` controller's `deny_access` shows how we would be able to override failure behavior when needed.

CanCanCan also provides view helpers that can check permissions, and so avoid rendering links to unauthorized resources, but we have not added any of those to the view templates.

There is something very important to note here:  The existing code leans towards the friendly, describing to users why access has been denied to a particular resource.  A default-deny system like `cancancan` _cannot_ provide this information on it's own. As a result, either some of the error messages will have to become less informative, or it will become necessary to duplicate some subset of the access logic in the controllers in order to provide more informative failure messages.
You can view, comment on, or merge this pull request online at:


-- Commit Summary --

  * Add cancancan and the first ability definitions for site_controller
  * don't check authorization everywhere
  * fix tests for site controller
  * use token in ability checks
  * use a controller method to handle cancan denials
  * Implement the cancan filters for diary entries
  * add test helper to set oauth tokens
  * Use cancancan to authorize user_preference_controller
  * fix and improve ability coverage to account for tokens
  * Authorize actions on GeocoderController with CanCanCan Ability
  * Update capabilities check to actually reflect the existing logic
  * separate ability and capability

-- File Changes --

    M Gemfile (1)
    M Gemfile.lock (2)
    M app/controllers/application_controller.rb (20)
    M app/controllers/diary_entry_controller.rb (31)
    M app/controllers/site_controller.rb (7)
    M app/controllers/user_controller.rb (2)
    M app/controllers/user_preferences_controller.rb (5)
    A app/models/ability.rb (51)
    A app/models/capability.rb (19)
    M test/controllers/user_preferences_controller_test.rb (5)
    A test/models/abilities_test.rb (71)
    A test/models/capability_test.rb (51)
    M test/test_helper.rb (11)

-- Patch Links --


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20180617/4a967758/attachment.html>

More information about the rails-dev mailing list