I have been working on an app but ran into many problems when i was
applying authentication and authorization.
I want to have the following users with the given abilities.
Admin: full control on the entire system, but apart from login , email
and password it does not require any more attributes
company owner: should be able to created the number of companies the
admin approves, and have full control over all of its companies, i
would like to send an invitation to this user type
user: should have different roles and has couple more fields than the
company owner. The super user roles can only have full control over
its own company. user cant create companies and should belong to a
company and cant create companies. owners or super users should be
able to create them via a crud
client: if approved by the admin a company is clients are allowed to
log in to the system, they only have read access to their personal
data and an internal email system. Have lots of fields, ca be
affiliated to a company but the admin has access to all clients in the
system. company owners only have access to their companies clients ,
and the users only to the clients that are affiliated to their
the problem comes now, I have 4 models at the moment, i would like
authentication an authorization systems to be common to all of them. I
have 4 abilities with cancan, and 4 resources with devise, but keeping
up with everything was very redundant, i have 4 login page 4 path to
signout, etc. If i unify all users in a single model an manage
everything with fields in the DB im a little confuse on how to handle
the company users relation since companies belong to owners in the
current design but a company has many users and clients.
I have been thinking of a has many through association with resources
called ownership, employ and affiliation
and use boolean fields or a user type field to differentiate each type
of user. I would need a lot of conditional validations of course.
would STI be helpful or would it require 4 of everything anyway? i
want to have one login page and one ability class.
Anyone has a better solution? i would appreciate some comments on