I'm trying to setup a admin role system, where many admins have different roles. I'm starting with two roles, :super_admin and :office_admin.
I want the :office_admin the ability to manage other :office_admins, but not the :super_admins. I've accomplished parts of this idea through the Ability file.
My schema:
class Admin < ActiveRecord::Base
has_many :admin_assignments
has_many :admin_roles, :through => :admin_assignments
attr_accessible :name, :admin_role_ids
end
.
class AdminAssignment < ActiveRecord::Base
attr_accessible :admin_id, :admin_role_id
belongs_to :admin
belongs_to :admin_role
end
.
class AdminRole < ActiveRecord::Base
has_many :admin_assignments
has_many :admins, :through => :admin_assignments
attr_accessible :name
end
.
class AdminAbility
include CanCan::Ability
def initialize(admin)
if admin.role? :super_admin
can :manage, Admin
elsif admin.role? :office_admin
can :manage, Admin, :admin_roles => { :name => ['office_admin'] }
end
end
end
My problem is I cannot prevent the office admin assigning himself the role of SuperAdmin. Is this something I can do through CanCan or do I have to push parts of that authorization logic into the ActiveRecord model?
