I’m not looking for a complete solution, maybe just a nudge in the right
direction? For example, rather than restricting users to
updating/creating certain classes
(which seems to be the most common example give for
Authorisation/authentication gems) how do I restrict a certain
user to a single instance of a class and the multiple other classes that
belong to it?
Say, for example I have a site for many authenticated/authorised Users:
-
These users are employed at different Companies, many of which might
have
multiple Offices.
-
Users employed at one company will never access details of another
company or even be aware of their existence.
I was wondering if nested resources or using the database structure was
the
way to go but I read that more than 2 nesting depths was very bad for
site performance…
Are there any gems/open source projects that make it simpler to
establish
this setup: eg: a single point of entry (on login page for any user) but
then redirect them automatically to the Project list in the
Company/Office they belong to?
Thanks in advance for any advice you can give.
On 16 December 2011 12:36, Jason W. [email protected] wrote:
I’m not looking for a complete solution, maybe just a nudge in the right
direction? For example, rather than restricting users to certain classes
(which seems to be the most common example give for
Authorisation/authentication gems)
Which gems are you specifically referring to as being limited in this
way? For instance, both CanCan and Aegis allow very complex
permissions models to be defined with their DSLs, and I’m pretty sure
the other main options do too.
It’s only the most simple permissions-to-roles associations approaches
that I’ve seen that by design give all users of the same role the same
access to data. But any system that has a “permissions” model should
allow you to define rules that are evaluated for each user (so that a
user assigned to a company can only see orders for that company, etc).
You asked for a nudge, but I’ll push you off the cliff.
First find some useful videos here:
Ruby on Rails Screencasts - RailsCasts
Ruby on Rails Screencasts - RailsCasts
Then think about your structure, right now it seems like you have
-Companies
–Offices
-Users
There are always many logical join tables are, employment (linking to
a company), and work_location (linking to an office, and therefore a
company). Depending on your inevitable goals these many or may not be
appropriate.
Now you use one of the authentication and authorization methods to
restrict controller access to whatever you want.
I share your pain. The rails community seems to be mostly satisfied
with
role-based access control. However I needed a process whereby I could
do
group-membership-based access control. In my project, content (Posts,
Uploads, Comments, etc.) needed to be protected on a group basis.
After
much searching I found a way using the CanCan gem and its “hash of
conditions” capability. I described the solution in an answer to my own
stack overflow question:
I’ve proven this approach in initial testing. Have yet to push it into
scale testing or production, but CanCan seems to be a well-used gem.
Hope
this helps.