there’s a question, I can’t really answer for myself. Let’s assume,
I’ve got a rails application for selling cars. A user can create an
advertisement by choosing the corresponding model from a table
“car_models” and then add additional information. The user should
always be able just to read the “car_models” table, not to change
it. On the other hand, there’s an assistant who administers the
“car_models” table, adding, changing and removing entries.
So, where we are? We have our “CarModel” controller with its CRUD
methods. And, let’s assume, we have a roled based access control
implemented. A normal user is a group member of “STD_USER”, for
example. So he may only access the “get” oder “read” methods,
whatever. The assistant however is member of the group “STD_ADMIN”,
for example, and has access to all methods of our “CarModel”
Although this looks secure, I must confess, that I am concerned. What
if the RBAC fails for some reasen? What if a normal user gets
accidentally in the admin group?
Wouldn’t it be better to separate those functionalities? Let’s say:
one administration application and one great wide world application.
I’m not convinced myself. How do you handle this?
I would be very happy about suggestions.
Thank you very much!