For using Multiple "roles" on Users in rails_admin CanCan seems to be a great choice. So I added a Boolean Attribute "admin" to the User-Model and tell CanCan to allow access to rails_admin only if this is present.
But isn't this a security issue? How can I be sure, that nobody is able to change the attribute?
I will preface this by saying my knowledge of rails is limited. However, adding a boolean attribute to an object, that is not final (or whatever the ruby equivalent of not able to be changed is). Further you need to add some defensive coding into your application (design by contract for instance). The inherit risk of having a mutable property is always an issue. A potential way to mitigate this is to use a database or to use certificates that are managed by a trusted source (that way users cannot easily forge certificates and dupe your system)
Don't put the admin attributes in accessible method, so nobody can change its value.
