2 posts tagged with "security"

Rhino provides robust core authorization and authentication through its policy system. While the default CrudPolicy and role-based policies (AdminPolicy, EditorPolicy, ViewerPolicy) handle most scenarios, some applications require fine-grained, permission-based authorization where individual actions are explicitly granted or denied based on a permissions table.

This guide will explore how to extend Rhino's authorization system with custom permissions while leveraging the existing policy architecture.

In the first part of this series, we introduced Rhino's Model-Driven Development (MDD) approach and explored how its dynamic routing system generates API endpoints directly from your models. This architecture allows for rapid development, but it requires an equally robust system to secure those endpoints. This post will dissect that next layer, breaking down how Rhino handles authentication (verifying a user's identity) and authorization (determining what that user can do).

At the core of Rhino's security model are established and trusted Ruby gems: devise_token_auth for token-based authentication and pundit for fine-grained authorization. When the optional rhino_organizations module is installed for multi-tenancy, the rolify gem is introduced to enable sophisticated role-based access control (RBAC). We will explore how these components are seamlessly integrated within Rhino's default CrudController and CrudPolicy to provide a secure-by-default foundation for all your API resources, allowing you to build with confidence from the start.