How to Add Simple Permissions into Your Simple App. Also, Thoughtbot Rules!

Last week, in a few hours, I whipped together flightcontrolled.com for Flight Control, a super fun iPhone game. The site allows users to upload screenshots of their high scores. I thought I would provide a few details here as some may find it interesting.

It is a pretty straightforward and simple site, but it did need a few permissions. I wanted users to be able to update their own profile, scores and photos, but not anyone else’s. On top of that, I, as an admin, should be able to update anything on the site. I’m sure there is a better way, but this is what I did and it is working just fine.

Add admin to users

I added an admin boolean to the users table. You may or may not know this, but Active Record adds handy boolean methods for all your columns. For example, if the user model has an email column and an admin column, you can do the following.

user = User.new user.email? # => false user.email = 'foobar@foobar.com' user.email? # => true user.admin? # => false user.admin = true user.admin? # => true

Simple permissions module

Next up, I created a module called permissions, that looks something like this:

module Permissions def changeable_by?(other_user) return false if other_user.nil? user == other_user || other_user.admin? end end

I put this in app/concerns/ and added that directory to the load path, but it will work just fine in lib/.

Mixin the permission module

Then in the user, score and photo models, I just include that permission module.

class Score < ActiveRecord::Base include Permissions end class Photo < ActiveRecord::Base include Permissions end class User < ActiveRecord::Base include Permissions end

Add checks in controllers/views

Now, in the view I can check if a user has permission before showing the edit and delete links.

<%- if score.changeable_by?(current_user) -%> <li class="actions"> <%= link_to 'Edit', edit_score_url(score) %> <%= link_to 'Delete', score, :method => :delete %> </li> <%- end -%>

And in the controller, I can do the same.

class ScoresController < ApplicationController before_filter :authorize, :only => [:edit, :update, :destroy] private def authorize unless @score.changeable_by?(current_user) render :text => 'Unauthorized', :status => :unauthorized end end end

Macro for model tests

I didn’t forget about testing either. I created a quick macro for shoulda like this (also uses factory girl and matchy):

class ActiveSupport::TestCase def self.should_have_permissions(factory) should "know who has permission to change it" do object = Factory(factory) admin = Factory(:admin) other_user = Factory(:user) object.changeable_by?(other_user).should be(false) object.changeable_by?(object.user).should be(true) object.changeable_by?(admin).should be(true) object.changeable_by?(nil).should be(false) end end end

Which I can then call from my various model tests:

class ScoreTest < ActiveSupport::TestCase should_have_permissions :score end

Looking at it now, I probably could just infer the score factory as I’m in the ScoreTest, but for whatever reason, I didn’t go that far.

A sprinkle of controller tests

I also did something like the following to test the controllers:

class ScoresControllerTest < ActionController::TestCase context "A regular user" do setup do @user = Factory(:email_confirmed_user) sign_in_as @user end context "on GET to :edit" do context "for own score" do setup do @score = Factory(:score, :user => @user) get :edit, :id => @score.id end should_respond_with :success end context "for another user's score" do setup do @score = Factory(:score) get :edit, :id => @score.id end should_respond_with :unauthorized end end end context "An admin user" do setup do @admin = Factory(:admin) sign_in_as @admin end context "on GET to :edit" do context "for own score" do setup do @score = Factory(:score, :user => @admin) get :edit, :id => @score.id end should_respond_with :success end context "for another user's score" do setup do @score = Factory(:score) get :edit, :id => @score.id end should_respond_with :success end end end end

Summary of Tools

I should call flightcontrolled, the thoughtbot project as I used several of their awesome tools. I used clearance for authentication, shoulda and factory girl for testing, and paperclip for file uploads. This was the first project that I used factory girl on and I really like it. Again, I didn’t get the fuss until I used it, and then I was like “Oooooh! Sweet!”.

One of the cool things about paperclip is you can pass straight up convert options to imagemagick. Flight Control is a game that is played horizontally, so I knew all screenshots would need to be rotated 270 degress. I just added the following convert options (along with strip) to the paperclip call:

has_attached_file :image, :styles => {:thumb => '100>', :full => '480>'}, :default_style => :full, :convert_options => {:all => '-rotate 270 -strip'}

Conclusion

You don’t need some fancy plugin or a lot of code to add some basic permissions into your application. A simple module can go a long way. Also, start using Thoughtbot’s projects. I’m really impressed with the developer tools they have created thus far.