Skip to main content

Rails: authlogic and acl_system2 under Rails 2.3.2

Updated: Documented my migration.

I got authlogic and acl_system2 to work together under Rails 2.3.2. authlogic provides authentication. acl_system2 provide authorization, i.e. ACLs. authlogic is very up-to-date, but acl_system2 is a bit dated. That's okay, though, because it's not the sort of thing that should need to change much.

Let me cover some of the stumbling blocks I encountered after I followed the authlogic tutorial and the acl_system2 documentation.

acl_system2 is not available as a gem. Hence, you need to install it via:
script/plugin install git://github.com/ezmobius/acl_system2.git
If you followed the authlogic tutorial, you'll end up with the ApplicationController#current_user method being private. To work with acl_system2, it should instead be protected. Otherwise, you'll end up with this:
You have a nil object when you didn't expect it!
The error occurred while evaluating nil.roles (NoMethodError)
.../vendor/plugins/acl_system2/lib/caboose/role_handler.rb:15:in `check'
.../vendor/plugins/acl_system2/lib/caboose/logic_parser.rb:43:in `process'
.../vendor/plugins/acl_system2/lib/caboose/access_control.rb:101:in `allowed?'
.../vendor/plugins/acl_system2/lib/caboose/access_control.rb:28:in `access_control'
Here's what my migration looks like:
class CreateRoles < ActiveRecord::Migration
def self.up
create_table :roles do |t|
t.string :title, :null => false

t.timestamps
end

add_index :roles, :title, :unique => true

create_table :roles_users, :id => false do |t|
t.integer :role_id, :null => false, :options => "CONSTRAINT fk_role_id_roles REFERENCES roles(id)"
t.integer :user_id, :null => false, :options => "CONSTRAINT fk_user_id_users REFERENCES users(id)"
end

Role.delete_all
Role.create :title => "admin"
end

def self.down
Role.delete_all
drop_table :roles_users
drop_table :roles
end
end
Each of my controllers has something like:
before_filter :require_user
access_control :DEFAULT => 'admin'
I decided to add the following to ApplicationController as protected methods:
def permission_denied
render :text => "Forbidden", :status => "403 Forbidden"
end

def permission_granted
end
That way the HTTP status gets set for "Permission denied".

In order to test the above using Cucumber and Webrat, I added a feature step like:
And the HTTP status should be "403 Forbidden"
Then, I added a step definition:
Then /^the HTTP status should be "([^\"]*)"$/ do |status|
response.status.should == status
end
So far, I'm pleased :)

Comments

Unknown said…
There is also something else that caused me to spend some time debugging, and that is that acl_system2 makes the assumption that there is a method called "current_user". In access_control.rb:

@default_access_context[:user] = send(:current_user) if respond_to?(:current_user)

Now that is fine and dandy but my method was not called current_user, and because of this it was throwing the nil.roles error (and there was no obvious stack trace).

The reason I had to change the (I guess "standard") naming of current_user is very non-obvious (and I also spent a long time debugging this). I use ActiveScaffold and that is also defining its own version (and for different purposes) of "current_user".

I hope to be able to patch acl_system2 in a way that makes this naming convention more obvious.

Thanks for your post, as it helped me determine the problem.
jjinux said…
Good luck with that.

Popular posts from this blog

Drawing Sierpinski's Triangle in Minecraft Using Python

In his keynote at PyCon, Eben Upton, the Executive Director of the Rasberry Pi Foundation, mentioned that not only has Minecraft been ported to the Rasberry Pi, but you can even control it with Python. Since four of my kids are avid Minecraft fans, I figured this might be a good time to teach them to program using Python. So I started yesterday with the goal of programming something cool for Minecraft and then showing it off at the San Francisco Python Meetup in the evening.

The first problem that I faced was that I didn't have a Rasberry Pi. You can't hack Minecraft by just installing the Minecraft client. Speaking of which, I didn't have the Minecraft client installed either ;) My kids always play it on their Nexus 7s. I found an open source Minecraft server called Bukkit that "provides the means to extend the popular Minecraft multiplayer server." Then I found a plugin called RaspberryJuice that implements a subset of the Minecraft Pi modding API for Bukkit s…

Apple: iPad and Emacs

Someone asked my boss's buddy Art Medlar if he was going to buy an iPad. He said, "I figure as soon as it runs Emacs, that will be the sign to buy." I think he was just trying to be funny, but his statement is actually fairly profound.

It's well known that submitting iPhone and iPad applications for sale on Apple's store is a huge pain--even if they're free and open source. Apple is acting as a gatekeeper for what is and isn't allowed on your device. I heard that Apple would never allow a scripting language to be installed on your iPad because it would allow end users to run code that they hadn't verified. (I don't have a reference for this, but if you do, please post it below.) Emacs is mostly written in Emacs Lisp. Per Apple's policy, I don't think it'll ever be possible to run Emacs on the iPad.

Emacs was written by Richard Stallman, and it practically defines the Free Software movement (in a manner of speaking at least). Stal…

ERNOS: Erlang Networked Operating System

I've been reading Dreaming in Code lately, and I really like it. If you're not a dreamer, you may safely skip the rest of this post ;)

In Chapter 10, "Engineers and Artists", Alan Kay, John Backus, and Jaron Lanier really got me thinking. I've also been thinking a lot about Minix 3, Erlang, and the original Lisp machine. The ideas are beginning to synthesize into something cohesive--more than just the sum of their parts.

Now, I'm sure that many of these ideas have already been envisioned within Tunes.org, LLVM, Microsoft's Singularity project, or in some other place that I haven't managed to discover or fully read, but I'm going to blog them anyway.

Rather than wax philosophical, let me just dump out some ideas:Start with Minix 3. It's a new microkernel, and it's meant for real use, unlike the original Minix. "This new OS is extremely small, with the part that runs in kernel mode under 4000 lines of executable code." I bet it&…