16

I need to create roles based permissions systems in my Rails app. I would be totally happy with CanCan, but the main problem - it has to be dynamic, so that Admin has to be able to assign permissions and to create new roles. The permissions can be simple controller/action restrictions, and can be data related, for example some users can edit only their own profiles, and some of them can edit the profiles of all the users in the particular group. And it would be really nice to allow Admin to create new permissions.

What I'm thinking about is to store in db a controller/action, and some data related restrictions (I'm really confused here about the way to define them). So could you please give me some advice, what would be the best way to organize permissions?

Any thoughts are much appreciated

alony
  • 10,725
  • 3
  • 39
  • 46

2 Answers2

23

If you like CanCan, then I think is best to use it. Here is a short tutorial about storing abilities in database so non-programmers can update them:

https://github.com/ryanb/cancan/wiki/Abilities-in-Database

If you really, really want to implement such system yourself. Depending on your needs, I will suggest for you to implement it as simple as possible.

In the case you need only users to have access to modules(certain controllers). You can do:

  1. Store all users permissions in just like serialized fields -> http://apidock.com/rails/ActiveRecord/Base/serialize/class

    class User serialize :permissions, Array

    def access_to?(module) permissions.include? module.to_s end end

some check when setting this field would be nice.

  1. Just make a check on top of every controller if the current user have access to this controller(section)

    class ApplicationController private

    def self.require_access_to(module)
   before_filter do |c|
     unless c.send(:current_user).try :access_to?(module)
       c.send :render_no_presmissions_page
     end
   end
end

    end

    class AdminNewsController require_access_to :news end

Of course this is just a start position, from where you can easily evolve.

susie
  • 163
  • 2
  • 17
Radoslav Stankov
  • 624
  • 5
  • 14
  • CanCan project is abandoned. The new project is CanCanCan. The tutorial is: https://github.com/CanCanCommunity/cancancan/wiki/Abilities-in-Database – Diego Somar Jul 15 '19 at 14:03
  • @DR.Somar Yep. Cancan is abandoned. Pundit is a lot of better approach. I have been working on own library for this called KittyPolicy - https://github.com/producthunt/kitty-policy – Radoslav Stankov Jul 26 '19 at 07:21
5

[EDIT The link given by @RadoslavStankov is a better answer than this.]

You can do it with CanCan easily. Just make a model for permissions (which has_and_belongs_to_many :users), and in your Ability#initialize load the permissions appropriate to the user from the model and say that the user can do them. Then make appropriate user interface for administrating that model.

Something like this:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new
    user.permissions.each do |permission|
      can permission.symbol, permission.scope
    end
    user.prohibitions.each do |permission|
      cannot permission.symbol, permission.scope
    end
  end
end

where scope returned something like :all for nil scope, or Object.const_get(@scope_name) otherwise... Play with it. Anyway, it's doable.

More complex CanCan things are likely to be more complex (duh) - for example conditional permissions - but that would be a bitch to administer as well, so I think this should be enough for most applications.

Amadan
  • 191,408
  • 23
  • 240
  • 301