In my my controllers I am restricting access to features based on the users assigned price plan, which is an integer, mappable to a label such as ‘Gold’, ‘Silver’, ‘Bronze’.
As well as providing autherisation at the controller layer, where it belongs, I also wish to enforce this at the model layer. This gives me defense in depth and will also alert me to holes in the autherisation at the controller level where testing dare not tread.
I have a YAML file which has a list of methods (the key) and minimum price plan (the value). At the top of my model I specify which methods I want to protect. At the bottom of model I then alias each method and check the YAML file to make sure the price plan is sufficient, if not I raise an exception, otherwise I call the original method.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
The YAML file, price_plan.yml, looks like this:
This was largely inspired by the following post: http://cheind.blogspot.com/2008/12/method-hooks-in-ruby.html