Times to times, one needs to interact with AngularJs at runtime. ( for debugging purpose ... )
My Teamates frequently ask me how do I ... check this directive isolated scope structure for example ...
I think the simple answer is :
Select the directive's element for inspection in your debugger. In console you can select it using chrome's helper : $0 , which is the current selected element.
And then :
angular.element($0).scope();
Tuesday, December 3, 2013
Wednesday, October 16, 2013
Advanced Rails 4 Authorization with Pundit.
Here is a good illustration of the underlying power of Voidness...
Pundit is a realy simple Ruby Gem, that does nothing more that you could have done yourself. Here is the power !
When updating to Rails 4 in it's early days, you had no compliant authorization solutions.
Ryan Bates's Cancan was the most used due to it's flexibility and simplicity, but it is not Rails 4 compliant, and brings too much magic for me.
But is there something more flexible and simple than the Void ? ( OK, ... I stop with VoidMadness ... )
For one of my current job, I started to build a software that needs flexible right management. ( And also a People relations graph, but this is for another post ).
The requirement are :
* Fined grained activities( or action ) access control
* Fields read / write access control
* Flexible Role based system that allow role inheritance
In this article I'll address only the first requirement, the second will be explained in the next article, while the last one does not need to be since it is obvious.
It is a basic pattern. I don't need to explain it. User can have many Roles and Role may be filled by many Users.
For each Role, I want to allow some activities. (IE: For accountant : create bill, update payment. For Team Manager : Plan Task for a member of his/her Team )
Pundit set some helpers to :
* Check Policy for a given user on a given object( it is not restricted to ActiveRecord::Base instances ).
* Describe Policy in Ruby Class
* Enforce use of Policy in your controllers
* Bring syntactic sugar in you Rspec tests.
I recommend you to read Pundit's README.md before going further, since I won't explain what is already explained there.
If found an interesting post from Derick Bailey about authorization patterns, putting words on some of my thoughts. Reading this is not required to go further, but I recommend to.
The activities is not a finite collection. In fact, from my point of view, activities are defined by the following set : All methods directly exposed to user except.
In the Ruby On Rails world as in many MVC frameworks, this mean all the methods available on controllers. (Authentication Activities is a Subset of this set, that has particularity to be allowed to all users.)
I do not want to have a collection of activities to maintain. I do not want to reify them through an Postgres table or a flat file.
I want that default behavior is to deny. This behavior should be overridden if you have the appropriate role.
Since I'am building a REST API, I want to scope each activity on his resource.
Example:
The Person resource expose through API it's CRUD methods (We will not use HTTP verbs to authorized. I do not find clever to bind Authorization on the Transfer Protocol ).
I see Person activities as the following set :
person:create
person:update
person:delete
person:show
person:index
...
The pattern is dead simple and interpolate as #{resource}:#{activity}
With all those postulates, I decided to store activities on Role through the Postgres Array Type. It will be an array of strings.
Then I just had to teach Pundit the way I wan't it to authorize activities :
This may need some explanations :
This is the ApplicationPolicy, it will be inherited by each resource, allowing to extend/ override Policies by resources.
I replaced the bulk Pundits question marked CRUD methods with some meta-programming to avoid code duplication, and tedious declarations.
Line 9 : It recovers allowed activities for the current user.
Line 13 : The current activity against which we authorize is inferred from the object's class name ( the word record is used but i plan to change this, since record mean database record for me, but it could be any object ).
Line 17 : The (in)famous Ruby's method missing !
Any unknown method ending with a question mark in the current scope will be interpreted as a check access right for this activity method.
Each time we want to check access right for an activity, it will lookup the allowed activities for the current user roles ...
This is the way the most of work is done, with a few ruby lines of code.
To manage rights, all we need is to add the activity to user role, what could be more simple ?
Since all the work is done by the ApplicationPolicy class, the PersonPolicy class is just there to include and override behaviors.
Nothing extravagant here. Just read comments. Note that when the right are insufficient, It just return a 403 HTTP Header, it is enough for a REST API and is the way I understand the RFC 2616.
Just to show how it works and as proof , this is a dumb spec/test for the dumb person example.
The test ouput the following :
Easy :)
In a further post i'll detail how to apply read/write mask on object.
Pundit is a realy simple Ruby Gem, that does nothing more that you could have done yourself. Here is the power !
When updating to Rails 4 in it's early days, you had no compliant authorization solutions.
Ryan Bates's Cancan was the most used due to it's flexibility and simplicity, but it is not Rails 4 compliant, and brings too much magic for me.
But is there something more flexible and simple than the Void ? ( OK, ... I stop with VoidMadness ... )
For one of my current job, I started to build a software that needs flexible right management. ( And also a People relations graph, but this is for another post ).
The requirement are :
* Fined grained activities( or action ) access control
* Fields read / write access control
* Flexible Role based system that allow role inheritance
In this article I'll address only the first requirement, the second will be explained in the next article, while the last one does not need to be since it is obvious.
Let introduce the base models
For each Role, I want to allow some activities. (IE: For accountant : create bill, update payment. For Team Manager : Plan Task for a member of his/her Team )
About Pundit
Pundit set some helpers to :
* Check Policy for a given user on a given object( it is not restricted to ActiveRecord::Base instances ).
* Describe Policy in Ruby Class
* Enforce use of Policy in your controllers
* Bring syntactic sugar in you Rspec tests.
I recommend you to read Pundit's README.md before going further, since I won't explain what is already explained there.
The Activities
If found an interesting post from Derick Bailey about authorization patterns, putting words on some of my thoughts. Reading this is not required to go further, but I recommend to.
The activities is not a finite collection. In fact, from my point of view, activities are defined by the following set : All methods directly exposed to user except.
In the Ruby On Rails world as in many MVC frameworks, this mean all the methods available on controllers. (Authentication Activities is a Subset of this set, that has particularity to be allowed to all users.)
I do not want to have a collection of activities to maintain. I do not want to reify them through an Postgres table or a flat file.
I want that default behavior is to deny. This behavior should be overridden if you have the appropriate role.
Since I'am building a REST API, I want to scope each activity on his resource.
Example:
The Person resource expose through API it's CRUD methods (We will not use HTTP verbs to authorized. I do not find clever to bind Authorization on the Transfer Protocol ).
I see Person activities as the following set :
person:create
person:update
person:delete
person:show
person:index
...
The pattern is dead simple and interpolate as #{resource}:#{activity}
With all those postulates, I decided to store activities on Role through the Postgres Array Type. It will be an array of strings.
Meta-programming Right Management
Then I just had to teach Pundit the way I wan't it to authorize activities :
This may need some explanations :
This is the ApplicationPolicy, it will be inherited by each resource, allowing to extend/ override Policies by resources.
I replaced the bulk Pundits question marked CRUD methods with some meta-programming to avoid code duplication, and tedious declarations.
Line 9 : It recovers allowed activities for the current user.
Line 13 : The current activity against which we authorize is inferred from the object's class name ( the word record is used but i plan to change this, since record mean database record for me, but it could be any object ).
Line 17 : The (in)famous Ruby's method missing !
Any unknown method ending with a question mark in the current scope will be interpreted as a check access right for this activity method.
Each time we want to check access right for an activity, it will lookup the allowed activities for the current user roles ...
This is the way the most of work is done, with a few ruby lines of code.
To manage rights, all we need is to add the activity to user role, what could be more simple ?
The person resource
Since all the work is done by the ApplicationPolicy class, the PersonPolicy class is just there to include and override behaviors.
The application Controller
Nothing extravagant here. Just read comments. Note that when the right are insufficient, It just return a 403 HTTP Header, it is enough for a REST API and is the way I understand the RFC 2616.
The Rspec Tests. ( Behaviour Driven ? )
Just to show how it works and as proof , this is a dumb spec/test for the dumb person example.
The test ouput the following :
Easy :)
In a further post i'll detail how to apply read/write mask on object.
Friday, August 16, 2013
Holidays
Sorry, no geek blog post for a while.
Holidays are dedicated to :
I've found a nice spot, a cable wakepark between France and Spain : TSJ Saint Jean Pla de Corts
The full album is here
Holidays are dedicated to :
- Family
- Wakebording
- KiteSurfing
- Diving and snorkeling
I've found a nice spot, a cable wakepark between France and Spain : TSJ Saint Jean Pla de Corts
Wednesday, July 31, 2013
Aibrake , Rack , Session_off ...
After installing Airbrake gem my collection's request Rspec.specs stoped working as expected.
I encounterd this error:
RuntimeError: can't add a new key into hash during iterationSince Ruby 1.9(.3?) you cant modify Hash within iteration. ( even if they are ordered )
After some hours spent in debugger, I found that Airbrake gem Notification class uses Rack's Request @env variable to collect params for Aibrake/Errbit notification. Nothing weird here, but while collecting params in a loop , the clean_params method hit the racks request's @env with the #cookies method, in order to obtain the cookie hash. Code below :
Loading ....
I think that this is what misslead ThoughtBot guys, this method is available form the class Api ( I mean not private ) and returns the cookie Hash, but it also have side effects ... Sadly , it mutates the @env.
I can't say if this is bad design or not, but it looks weird to mee.
In order to get this working I submitted a fix to Airbrake, not to Rack ...
Last words, thanks to ThoughBot guys, for all the opensource tools they provide, and reactivity to merge contribs.
Tuesday, July 30, 2013
Airbrake gem fails when your rails sessions are disabled
If you experiment
undefined method `data' for nil:NilClassafter installing Airbrake gem and you have disabled your rails sessions ( for example with the session_off gem ) This is because airbrake read the session.data property to send them to the server. Since you disabled Session's , your controller's session returns nil. I submitted a fix to airbrake, if you can't wait you can source your aibrake gem from my github repository Edit : My branch has been merged in master, you can now rely on master.
Le réveil
Rien n'est plus confus ... d'ou je viens ? Qui suis-je ? Que suis-je?
Ils ont tous une explication, aucune n'est satisfaisante. On m'a donné un nom, que ce soit réellement le mien ou pas je n'ai plus qu'a faire avec.
On ne peut pas en changer, ça fait partie des règles.
"Tu es des nôtres ..."
Subscribe to:
Posts (Atom)