I’m building an application which is going to require quite fine grained
access control. Deciding if a user is allowed to access an action will
probably require checking quite number of different rules, so a simple
role-based system won’t be flexible enough.
The approach I think I will try first is, if it’s possible, to ignore
permission issues inside the actions. I think this may be achievable by
using quite a complicated before_filter to decide if the current user is
allowed to execute this action with the given parameters.
Anyway, if anyone could lend a bit of their experience, or possibly even
better, recommend some resources which cover building larger permissions
systems (books, articles etc…) I’d be very grateful.