Need help with n<->n authorization


#1

Hi folks,

I’m trying to implement an authorization system with users, roles and
permissions. Each user can have multiple roles, each role multiple
permissions and users can have multiple ‘snowflake’ permissions as
well.

This is my migration schema:

############################
create_table “permissions”, :force => true do |t|
t.string “name”
t.string “controller”
t.boolean “c”
t.boolean “u”
t.boolean “d”
t.datetime “created_at”
t.datetime “updated_at”
end

create_table “permissions_roles”, :force => true do |t|
t.integer “role_id”
t.integer “permission_id”
end

create_table “roles”, :force => true do |t|
t.string “name”
t.datetime “created_at”
t.datetime “updated_at”
end

create_table “roles_users”, :force => true do |t|
t.integer “user_id”
t.integer “role_id”
end

create_table “snowflakes”, :force => true do |t|
t.integer “user_id”
t.integer “permission_id”
t.datetime “due_date”
t.datetime “created_at”
t.datetime “updated_at”
end

create_table “users”, :force => true do |t|
t.string “login”, :null => false
t.string “crypted_password”, :null => false

end
############################

As you can see, the user->role->permission-path is solved with
has_and_belongs_to_many connections and the user->permission-path with
has_many, :through snowflakes connections.

What is the best way to authorize a user?

I have various ideas, but I don’t know how to implement them in Rails
and which of them are the best in case of performance and security. I
thought of a prepared statement with all permissions by user or an
array with all permissions stored and cached. But I don’t know how I
can do something like array.find_by_controller().

Can anybody help me with a clean and straight solution for that
problem?

Thank you very much in advance!

Pat


#2

I really need help with this problem. Is there any better approach?