I’ve being messing with login_engine for a day or two and it works
nicely.
Going from there, ik think what you want is not that hard to realise. If
you
create an extra field in the users table which is called e.g.
maintained_by.
Then you can set up relations between what user-user can be maintained
by
what admin-user (admin-user being a user with privileges to manage other
users).
Or, if it needs to be ‘bigger’. An extra table with a many-to-many
relationship if an enduser can be maintained by more then one
admin-user.
(but that seems like overkill.
Regards,
Gerard.
On Tuesday 03 January 2006 22:44, Frank tried to type something like:
Thanks
Frank
–
“Who cares if it doesn’t do anything? It was made with our new
Triple-Iso-Bifurcated-Krypton-Gate-MOS process …”
I want to allow some users to manage other user accounts, but do not
want them to manage the admin account.
I have tried auth_generator, login_engine and user_engine
I am having a hard time gettign this to work.
Looking for advise and help.
Thanks
Frank
The login/user engine combo supports multiple ‘roles’. There are two
edit funcitons, one that edits the current user and one that edits a
different one. It is a simple matter to assign the permission to use
the one that edits other users to an ‘superadmin’ or ‘admin’ role.
I am having trouble understanding the user_engine.
It seems if I uncheck all user permissions for a role called supervisor.
The user assigned to supervisor can still create a new user.
Is there any better docs on loging_engine and user_engine?
The administrator role (i.e. the one which the user engine has been
told to use as admin) is ‘omnipotent’ - i.e. any users with this role
will be able to perform all actions, no matter what the actual
permissions set to it are. It’s basically a ‘root’ user. What you
probably want to do is create a new role for your supervisor - which
will, of course, respect the permissions you assign to it.
Aside from the RDoc in the code, there is no real documentation for
the user engine (or the login engine I suppose). Obviously it would be
great if there was more information, and I’ll work on that when I get
the chance. However, docs will never be a substitute for reading (and
hopefully understanding) the code…
I created a supervisor role and assigned delete_user and edit_user.
This role is allowed to delete admin.
I do not want admin to be changed or deleted by this role.
What can I do?
Frank
----- Original Message -----
From: “James A.” [email protected]
To: [email protected]
Sent: Wednesday, January 04, 2006 4:57 AM
Subject: Re: [Rails] Re: best authorization?
The administrator role (i.e. the one which the user engine has been
told to use as admin) is ‘omnipotent’ - i.e. any users with this role
will be able to perform all actions, no matter what the actual
permissions set to it are. It’s basically a ‘root’ user. What you
probably want to do is create a new role for your supervisor - which
will, of course, respect the permissions you assign to it.
Aside from the RDoc in the code, there is no real documentation for
the user engine (or the login engine I suppose). Obviously it would be
great if there was more information, and I’ll work on that when I get
the chance. However, docs will never be a substitute for reading (and
hopefully understanding) the code…
You want something that is beyond the scope of the user engine, i.e.
access control over specific objects.
The user engine only controls which actions a particular Role can
execute. However, you can control which objects can be manipulated by
providing different actions for manipulating each object type.
The user engine’s own user-management actions will need to be
overriden if you want to impose restrictions on which objects they can
modify.