To me, such an elaborate administration interface with login, permissions, and groups and what have you is out of scope for inclusion in the core framework.
Show of hands, how many deployed Rails apps have no concept of users?
I’m sure there are some, but the majority have some sort of registration, login and authorization. How many programmer hours are going into either re-inventing the wheel or customizing existing solutions?
Worse, a lot of projects will start with one of the many existing solutions only to realize too late that they need something different. Then they wind up having to maintain a customized solution that doesn’t participate in the network effects of community development.
There is a “less software” solution to this complexity.
Here’s what you do: Make an ActionUser module part of the Rails core. Add a good API for ActionController and ActiveRecord to authenticate methods against the current user. That’s it.
Just as important, here’s what you don’t do: Don’t implement permissions. Don’t implement roles. Don’t implement ACLs. Don’t create fancy permission management views, or even login controllers. That doesn’t belong in the core framework.
Just like ActiveRecord is database-agnostic, allow people to write pluggable auth. modules so that do the dirty work. Need to authenticate against LDAP? Make ActionUser::LDAP. Just need to keep anonymous users out of an admin section? Make ActionUser::Simple. Need to authenticate with cookies, or HTTP auth, or Kerberos? Interchangeable modules. Develop locally with SQLite and HTTP auth, then deploy to production with Oracle and Kerberos.
I know DHH isn’t interested in including this in the core, but it’s not like ActionMailer shows up in Martin Fowler’s Patterns of Enterprise Application Architecture. With so many different auth projects going on I can’t help but think that a standard interface for auth would benefit the community as a whole.
Am I the only Rails developer sick of repeating myself, cobbling together auth for each new project?