SI - Module5

Transcript

1. Module 5: Authorization and AJAX

2. @zamith

3. None

4. Authorization

5. Authorization != Authentication

6. We know who you are, but can you perform this

   action? “
7. None

8. Role Based Authorization

9. None

10. Authorization in Rails

11. Authentication based authorization

12. Role as a boolean

13. User.first.admin? add_column :users, :admin, :boolean, required: true, default: false db/migrate/xxx_add_role_to_users.rb

    rails console

14. Role as a string

15. User.first.admin? add_column :users, :role, :string, required: true, default: “regular” db/migrate/xxx_add_role_to_users.rb

    rails console

16. app/models/user.rb class User < ActiveRecord::Base USER_ROLES = [“regular”, “admin”] private_constant

    :USER_ROLES validates_inclusion_of :role, in: USER_ROLES def admin? role == "admin" end end

17. Role as a table

18. db/migrate/xxx_create_roles.rb create_table :roles do |t| t.string :name, required: true t.timestamps

    null: false end add_belongs_to :users, :role, index: true

19. app/models/role.rb class Role < ActiveRecord::Base USER_ROLES = %w(regular admin) private_constant

    :USER_ROLES validates_presence_of :name validates_inclusion_of :name, in: USER_ROLES end

20. Authorization Frameworks

21. CanCan

22. app/models/ability.rb class Ability include CanCan::Ability def initialize(user) @user = user

    if user public_send user.role else guest end end def guest can [:show, :update], Invite end ... ... def registered can :read, :all can :manage, Book do |book| book.team_id == @user.team.id end end def admin can :manage, :all end end

23. Pundit

24. app/controllers/restaurants_controller.rb def update @restaurant = Restaurant.find(params[:id]) authorize @restaurant if @restaurant.update(restaurant_params)

    redirect_to restaurants_path else render :edit end end app/policies/restaurant_policy.rb class RestaurantPolicy < ApplicationPolicy def update? user.admin? end end

25. Asynchronous JavaScript And XML (AJAX)

26. AJAX allows you to make requests to the server without

    reloading the page and receive and work with data from the server “

27. AJAX with jQuery

28. $.ajax({ url: "/restaurants" }) .done(function(html) { $("#results").append(html); }); $.ajax

29. $.ajax({ dataType: "json", url: "/restaurants.json", success: success }); $.getJSON $.getJSON("/restaurants.json",

    function() { // success });

30. Rails remote

31. <%= link_to "Click me", restaurants_path %>

32. <%= link_to "Click me", restaurants_path, remote: true %>

33. <%= link_to "Click me", restaurants_path, remote: true %> Your request

    is now done via AJAX The request uses the JS format, and you have to handle it on the server