User authentication and authorization in a Rails application

So today, despite battling a nasty sinus infection-like cold, I decided to get started on setting up SA.org, a project I’m working on with @TopherBook. I’m not going to get into details right now - everything’s a bit hush-hush right now - but I felt I should mention SA.org to set some context for the subject of today’s post. Today, I want to discuss the “user system” in a Ruby on Rails application.

By “user system” I mean the part of your Rails app that manages user registration, login, logout, etc — the authentication part of the system. In the case of SA, my user system must also include authorization functionality for user roles — admin, member, moderator, etc.

When planning my user system for SA, I instinctively thought of techoweenie’s restful_authentication plugin. It’s basically the standard in authentication plugins and it’s one that I’m very familiar with. However, after reviewing the Authlogic plugin, I’m thinking of changing things up a bit for SA. Authlogic looks really easy to customize and to fit to my needs. I like how easy it (looks like it) is to use and that I can use only email addresses instead of usernames for login. I also like that the session management allows for a “remember me” type functionality as well the ability for a session timeout after a certain period of user inactivity. It also allows for a certain level of stateful authorization (active, approved, confirmed). Basically, it covers what I need, so why not give it a shot?

But there was still the question of which authorization plugin to use.

I turned to @mileszs for help (he’s like my go-to guy for ruby/rails related questions). I asked him if there was a plugin he could recommend, and he gave me a pretty good list to research.

• Rails Authorization - This is a sexy lookin’ plugin. It allows for authorization on both the class or instance method level, and allows for a high level granularity. The support for dynamic methods based on your defined roles along with the #permit / #permit? methods is really impressive. Using the #permit method, you can construct your authorization expression in plain language. Examples include (taken from the plugin README): permit “admin” (User model assumed), permit “moderator of :workshop” (looks at options hash and then @workshop), permit “’top salesman’ at :company” (multiword roles delimited by single quotes), or permit “scheduled for Exam” (queries class method of Exam)
• Role Requirement - Although not quite as sexy, it’s super simple (which, I guess, could be sexy). This is more of the shotgun approach to user authorization as it only operates on the controller level. It acts under the assumption that the controller is accessible to everyone, and actions must be restricted via the “require_role” before filter. Ideologically, this is the opposite of Rails Authorization, where the controller/action is considered inaccessible to everyone and access is granted. This is like the difference between attr_accessible and attr_protected.
• Padlock Authorization - This plugin falls somewhere in between the two I’ve already mentioned in terms of complexity. It works strictly on the object level, but can be made to work at the global level as well. I know that doesn’t make any sense, but if you read the documentation, you’ll get it. It appears to operate on the same principle as Role Requirement, in that all actions are initially accessible and you would specify which actions to restrict.

For SA, I’m leaning toward the Role Requirement plugin. I don’t need a high level of granularity as I’m expecting to only have 3-4 different user roles, and all role specific functionality will probably be split into separate controllers. I’m definitely going to keep Rails Authorization and Padlock Authorization in mind though for other projects (onCurrent perhaps?).

These are just a few of the many different authentication and authorization plugins out there (Clearance and Lockdown are worth looking into). What’s your favorite “user system” setup?