Roles and Permissions model in database

Question

I have a user model and lots of other models in my project, to create a RBAC system I implemented role and permission. User has_and_belongs_to_many roles and Role has_and_belongs_to_many permissions.

class Permission
  include Mongoid::Document
  field :ability, type: String

  has_and_belongs_to_many :roles
  belongs_to :permission_for, polymorphic: true, dependent: :destroy

  index({ability: 1,permission_for_id: 1},unique: true)
end

class Role
  include Mongoid::Document

  field :name, type: String

  has_and_belongs_to_many :permissions
  has_and_belongs_to_many :users
  belongs_to :role_for, polymorphic: true

  index({name: 1,role_for_id: 1},unique: true)
end

and in User model I have :

Class User
  include Mongoid::Document
  .
  .
  .
  def able?(scope,model,action)
    # There must be something to load and check permissions
  end
end

Role defined in a scope (role_for) and Permission defined in Models in Role's scope (project is scope and task is model in that scope) with permission_for.

In User model I need to get data from database and check if user is able to do that action, in large amount of data it take too long. able? function I've implemented is simple, it just load every user's role and every role's permission and then check if permission's ability is equal to action and then return true or false!

Is there any gem or code do something like that? and if there's not, could you give me advise on how to implement role and permission in such way, with much less database load?

Many many tahnks

Edit 1

Ok, I've created this relation and managed to use it in my models, performance in normal use is ok, but when I want to get huge amount data it's very slow. I need to cache roles and permissions in scope model, how can I do such thing? Is there any plugin for rails can do that for me?

Answer 1

Our product is near soft-launch and I implemented that solution but with minor tweaks :

How I've done RBAC :

  Project <--- Role <---> Permissions ---> Task
                 ^         (ability)
                 |          
                 |          
                 V          
               User (able?)               

^{This schema is very simplified version of final implementation but the concept is same}

User.able?(model,ability) returns true if union of all permissions of user's related roles witch are related to model has a permission with ability.

    permission >>   View         Edit      Delete
    V Role        --------------------------------
     1              true         false     false
     2              true         true      false
     3              false        true      false
                 --------------------------------
   result           true         true      false

_{I case of user has role 1,2,3 then user can view,edit but can't delete}

To solve Performance Issue and Database Hit used russian doll caching, for each role I cache Hash representation of permissions :

 role.get_permissions
 # returns {modelID => ['view'], model2ID => ['view','edit']}

And then merge this all this hashes for user and again cache that new hash.

In each call of able? method of User class I get that hash (from cache or if changed generate new from database) and Job Done :)

Our worst problem about this caching was cache expiry. So we decided to add new functionality to our ORM (MongoID)

Adding or removing permissions from role will update an attribute in role model (without updating it's timestamps)

For role-user on add/remove/edit role we do so and also for project-role relation.

But for task-permission we've done nothing, because permissions will never change (ability and ID is important).

For role-permission relation update won't trigger update_permission on role.

Hope this help for anybody reach this point.