Agile Web Development

Build it. Launch it. Love it.

ACL System

Welcome to the acl_system plugin for rails. This plugin is designed to give you a flexible declarative way of protecting your various controller actions using roles. It’s made to sit on top of any authentication framework that follows a few conventions. You will need to have a current_user method that returns the currently logged in user. And you will need to make your User or Account model(or whatever you named it) have a has_and_belongs_to_many :roles. So you need a model called Role that has a title attribute. Once these two things are satisfied you can use this plugin.


License Rails' (MIT)
Rating (71 votes)
Owner Ezra Zygmuntowicz
Created 26 May 2006


  • Avatar
    26 June 2007

    I had to add/modify this line in the method restrict_to:

    return false if (currentuser.nil? || currentuser == false || current_user == :false)

    Is there a reason the plugin uses a symbol :false, rather than false?

  • Avatar
    18 September 2007

    thanks a lot for this precious comment. you must do with restful_authentication for this work as well

  • Avatar
    Sohail Ahmed
    12 October 2007

    The read me say one must have a "hasandbelongstomany :roles". My model only assigns one Role and so I have a simple "belongs_to :roles". Can I fake out the "many" roles by just adding a cover method of roles to my User model, or is there some more fundamental reason it has to be a true many-to-many underneath?

  • Avatar
    2 January 2008

    This looks a lot like: The main difference I think is the way how the access control is really defined in the controllers. And rolerequirement does this in a more 'rails' kind of way. But perhaps I'm missing some things.

  • Avatar
    Kevin Triplett
    30 March 2008

    Yes -- because Rick Olson's authenticated_system uses the symbol :false so that it's readily apparent that the system has already checked for a current user (the uninitialized current user variable is nil which evaluates as false). If current user is :false, then the system knows not to query the database for a current user again.

Add a comment