Ruby on Rails Authentication & Access Control

Walter_Lockhart · May 22, 2008, 9:27am

Hi Forum,

I hope someone can help me.

I have a client who has asked me to develop a project status tracking
application using Ruby on Rails which will enable various business
partners to view the status of various projects that are currently in
progress.

Each business partner will have projects which they can view the
status. There will be projects which some business partners cannot
view the status.

Would someone please direct me to a plug-in or tutorial or book which
will enable me to setup this scenario in Ruby on Rails.

I suppose what I’m really looking for is a facility to not only
perform Authentication (i.e., registration, login, logout, etc.) but
also Access Control to projects in this case (e.g., User A can view
Projects A, B & C, but not Projects D, E & F, in fact, User A doesn’t
even know that Projects D, E & F exist).

I hope someone can provide direction.

Thanks in advance.

Kind Regards

Walter

Walter_Lockhart · May 22, 2008, 10:22am

Have a look at:

http://www.railsforum.com/viewtopic.php?id=14216

And particularly post #5, where the author explains about different
“areas” of the application, selecting by the user role.

Regards,
Rey9999

Walter_Lockhart · May 22, 2008, 10:27am

i would probably start with good old faithful restful_authentication
plugin. This wil give you your basic login/registration pattern
Next, I add acl_system2 plugin, which allows me to lock down certain
sections of the website programmatically by adding roles to users.
Very easy.

Next I would create my models controllers and views for the Projects
Next I would use a polymorphic has_many :through association to
“attach” projects to users. By using polymorphism you allow the
flexibillity to create other types of assets that users might be
restricted in viewing
Finally i would create a helper method within the User model that
allowed me to check whether a project is viewable by a specific user
e.g. current_user.allowed?(project)

e.g.
user table
id | login | hashed_password | email

roles table
id | title

roles_users table
user_id | role_id

projects table
id | name | description | created_at | updated_at

assetables table (this is your polymorphic association table, where
you assign projects to your users)
id | user_id | assetable_id | assetable_type

I always get confused with the polymorphic association syntax. If
you’re stuck, get hold of acts_as_taggable_on_steroids and copy the
way they do it, or, just drop back to a has_and_belongs_to_many
association until you really need to use polymorphism.

BTW I find make_resourceful invaluable when dealing with polymorphic
resources, and, in fact all RESTful controllers. You might like to
take a look too mr.hamptoncaitlin.com. Take a look inside the
actions.rb file to see what it’s doing under the hood.

Good luck

Joe

Walter_Lockhart · May 22, 2008, 10:28am

or… you could do it all yourself, like the post that just beat me!

Walter_Lockhart · May 24, 2008, 6:13am

Or sign up for a corporate Basecamp account, spend some time setting
up the users and project data, then spend the summer working on all
those projects.

Walter_Lockhart · May 24, 2008, 10:40am

Rey9999, Wildtangent & Cynthia.

Thank you for your responses. You’ve given me a lot of information to
review and consider.

Thanks.

Walter