Skip to content

Customizing authentication

Jump to bottom Edit New page
KavyaSukumar edited this page Mar 17, 2016 · 5 revisions

Autotune uses oAuth providers for authentication.

At Vox Media, we use Chorus as the authentication provider. However, it can be set up to use any provider like GitHub, Twitter or your organization's authentication system as long as it is oAuth compliant.

Before implementing new authorization providers, it is important to understand how Autotune authenticates and authorizes users.

oAuth in Autotune

Autotune uses omniauth to implement oAuth support. For more info on how to integrate new providers into Autotune, read the wiki.

Roles

Apart from authentication, the oAuth credentials are also used to authorize users. Autotune supports three roles - superuser, editor and author.

  • superuser : Super user privilege gives the user full access to everything in Autotune. Only super users can add new blueprints or manage existing ones.
  • designer : Designers have editor privileges plus access to create and edit themes.
  • editor : Editors can create projects as well as edit other users' projects.
  • author : Author is the lowest privilege role. Authors can create projects. They can see only the projects they created and cannot edit other users' projects.

Setting up your own provider

Adding your own authentication provider is easy with omniAuth.

Once your rails app is setup, the initializer for omniAuth can be found under /config/initializers/omniauth.rb.

The following code snippet, for instance, sets up gitHub as the auth provider for production, while keeping a developer authentication provider for other environments.

Rails.configuration.omniauth_preferred_provider = Rails.env.production? ? :github : :developer
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :developer unless Rails.env.production?
  provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET']
end

Modify this file as required to customize your providers.

Groups and authorization

Groups are used to control access to projects in Autotune.

A group has one or more themes. A user's role on a group determines the privileges he/she has for blueprints, projects and themes.

See more about roles above.

Creating groups

Autotune comes with a Generic group if nothing is specified. New groups are added as they are encountered during authentication and authorization.

Authorization is done by the verify_omniauth function in /config/initializers/autotune.rb.

See code here for documentation on how to assign roles.

  • To assign global roles (applicable across all themes) return an array with a role symbol. For instance, to make the user a super user, return [:superuser].
  • To assign a role to particular themes, return a hash in the following format - :{role_name} => [{comma separated list of themes}].
    Eg: :author => [:mynewsorg] or :editor => [:mynewsorg, :generic].

Make sure you add a theme to conf.themes before you provide a role for it.

Add a custom footer
Clone this wiki locally