DEV Community
Follow
A Deep Dive into the Rhino Framework: Part 2 ( Authorization and the CrudController)
Rhino employs Devise to handle user authentication through token-based methods, ensuring user identity verification. Authorization is managed by Pundit and Rolify, securing API endpoints and defining user permissions. The `rhino_organizations` module integrates rolify for sophisticated role-based access control. Rhino's security is built on a "deny by default" principle, the Principle of Least Privilege. CrudController leverages Devise, Pundit, and Rolify to enforce authorization rules. The framework uses `authorize` within actions to initialize authorization checks. CrudPolicy functions as a dispatcher, directing authorization to specific role-based policies. The same dispatcher pattern is applied for data scoping to prevent data leaks. Rhino uses UNION statements to aggregate the scope results from all the user's roles. Rhino uses CrudPolicy to control the authorization flow of CRUD actions. This architecture ensures robust and secure API development.
