Authorization questionaire

authorization_questions.md

What’s the difference between Authentication and Authorization?

• Authentication = You are who you say you are (User Name and Password).
• Authorization = Level of access. Are you allowed to do what you want to do or are trying to do?

Why are both necessary for securing our applications?

Full control of what your users are doing on your site.

• Authentication = To verify that this is a user who has been allowed to access and use the site.
• Authorization = To make sure that unauthorized user don't have access to making changes, or disrupting parts of the application that they shouldn't be touching.

What’s a before_action filter in Rails?

• Requires that a user is logged in and/or has a certain level of access for an action to be run

How can we scope a filter down to only work with specific actions?

• We use the only flag what can and can't be done.

What’s an enum attribute in ActiveRecord? Why would we ever want to use this?

When thinking about Authorization, why might we want to namespace a resource?

• If you namespace a resource (such as admin) and you're logged in as admin you might have access to that. But if you're not admin you wouldn't have access to these actions.

What does allow_any_instance_of in RSpec do?

A mock or a stand-in is a dummy for a method you can use to get your test going.

• ??????????????????????????????????
• Forcing current user that lives in on Application controller to return a user that we create (instead of nil) and let current user return as admin.