1

I want to be able to allow my admin users to be able to control almost every action that their standard users on the account can do. When creating group permissions for them to manage, is it better to have a giant table with over one hundred rows of booleans, or is it better to store all the permissions in a hash stored in a text field on the database? Maybe only store the things they can't do? or the things they can do? (whichever list is most often smaller?)

Is there a standard approach to doing this in webapps?

Some examples of what I'd store:

can_delete_object?
can_edit_object?
can_create_object?
can_delete_minions_object?
can_delete_managers_object?

I really like the can_? syntax that can-can uses. Can-can would be great if it were anything other than defining functions for doing things. Which I still might end up doing in addition to storing all these booleans.. because there are account level permissions that will override the group level permissions.

NullVoxPopuli
  • 61,906
  • 73
  • 206
  • 352

3 Answers3

1

[edit] - clarified the code a bit

I think you should really check out CanCan again if there is any kind of grouping of permissions (ie group users into managers, minions... with similar permissions and just save that field to the db instead of a whole hash of abilities)

heres an example of what the Ability class might look like in your situation:

class Ability
  include CanCan::Ability

  def initialize(user)

    # All registered users can edit their own objects
    can :manage, [Object], :user_id => user.id

    # Different roles
    if user.moderator?
      can :delete, [Object], :user_id => user.minion.id
    elsif user.admin?
      can :delete, [Object], :user_id => user.manager.id
    end
  end
end
Alex Marchant
  • 2,490
  • 27
  • 49
  • I like this, but eventually, the admins on accounts are going to be able to customize their permissions for the gorups on their account. – NullVoxPopuli Feb 29 '12 at 14:10
1

Here is a nice list of Ruby authentication gems.

I've used CanCan and acl9 in depth, and have reviewed several of the others. I agree with the recommendation to use CanCan, but I also had decent success with the acl9 gem on a complex app requiring user, role, and group assigned rights management.

  • the biggest issue I'm having with the gems, is that I need to allow my admins to customize the permissions. Nice list though. – NullVoxPopuli Feb 29 '12 at 14:12
  • Ah, I see. I worked on a custom Rails app that mapped custom rights to actions where an admin would have control over those rights. But we did heavy investigation to try to find a gem that supported this functionality and could not find anything. https://github.com/berkmancenter/zone1 is the repo. –  Feb 29 '12 at 14:51
0

It depends on what the permissions are for exactly, perhaps something like CanCan is what you're after?

https://github.com/ryanb/cancan

Would you be able to describe a few of the permissions otherwise?

James Brooks
  • 658
  • 4
  • 5
  • I've looked at cancan, and it's not DB based. it's all on methods... and I'll eventually need to use a bunch of methods.. .so I may look at this ... but it seems to me to be the exact same as defining a bunch of methods in your /lib folder. I'll add some examples. – NullVoxPopuli Feb 29 '12 at 02:44