Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
RailsConf 2018: Access Denied: the missing guide to authorization in Rails by Vladimir Dementyev Rails brings us a lot of useful tools out-of-the-box, but there are missing parts too. For example, for such essential tasks as authorization we are on our own. Even if we choose a trending OSS solution, we still have to care about the way to keep our code maintainable, efficient, and, of course, bug-less. Working on Rails projects, I've noticed some common patterns in designing access systems as well as useful code techniques I'd like to share with you in this talk.
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the talk 'Access Denied: the missing guide to authorization in Rails' by Vladimir Dementyev at RailsConf 2018, the speaker delves into authorization mechanisms within Ruby on Rails applications, emphasizing the absence of built-in tools for this essential function. The session is divided into a theoretical overview followed by practical implementations of authorization. Key points include: - **Definition of Authorization**: Authorization is distinct from authentication; it determines whether a user has the permissions to perform a specific action. - **Common Confusions**: The speaker clarifies the often-confused terms, explaining that authentication answers "Who are you?" while authorization answers "Are you allowed to do that?" - **Four Lines of Defense**: Effective authorization typically comprises (1) a physical model for managing access, and (2) an authorization layer for verifying permissions during user interactions with applications. - **Authorization Models**: The talk reviews various models, including: - **Discretionary Access Control** - **Mandatory Access Control** - **Role-Based Access Control** - **Attribute-Based Access Control** Each model has its own strengths and weaknesses, impacting how permissions are managed. - **Tools for Authorization**: The speaker compares popular authorization gems like CanCan and Pundit, discussing their pros and cons while highlighting their usual use cases in Rails applications. - **Action Policy**: Dementyev introduces a new gem, Action Policy, designed to fill gaps left by existing tools, emphasizing simplicity, readability, and reduced duplication of code in policy definitions. - **Performance Considerations**: The importance of caching in authorization checks is highlighted, with techniques demonstrated to optimize performance and ensure smooth application functionality. - **Testing Authorization Logic**: The necessity of thorough coverage for authorization tests is discussed, stressing that proper testing practices are crucial to prevent unauthorized access. - **Development of Action Policy Gem**: The speaker shares insights into the creation of the Action Policy gem aimed at enhancing the existing Rails authorization frameworks while addressing common pitfalls in authorization logic. In conclusion, the talk presents a comprehensive approach to implementing effective authorization in Rails, encouraging developers to adopt structured methods and the new Action Policy gem for more efficient and manageable authorization practices.
Suggest modifications
Cancel
