User vs. Administrator best practices

Rails
1

Hi,

My app has a users table. It also has an administrator interface on
<www.mysite.com>/admin
There are going to be many (i hope) users for the site, and only 1 or 2
admins. This is all pretty common I assume. so…

What is the best practice for admin access for web applications?

for example:

  1. have a ‘users’ table and a separate ‘admins’ table. normal app
    controllers use ‘users’ table/model and admin controllers use ‘admins’
    table/model.

  2. have only a ‘users’ table and have a boolean column ‘admin’ in there
    (which in my case will have only 1 entry set to true in all the data
    rows).

I know that both are possible solutions but they both sound pretty scary
to me WRT security… am I just too worried? or are there better
commonly used methods?

Thanks!

2

I’m not sure what your security concerns are - neither of these methods
really affect the security of your application which is really handled
in the authentication of these users. But, I would think that option 2
is going to provide you with the least amount of headaches - managing
two separate user models would be a lot of trouble for not much value.

c.

Alan wrote:

Hi,

My app has a users table. It also has an administrator interface on
<www.mysite.com>/admin
There are going to be many (i hope) users for the site, and only 1 or 2
admins. This is all pretty common I assume. so…

What is the best practice for admin access for web applications?

for example:

  1. have a ‘users’ table and a separate ‘admins’ table. normal app
    controllers use ‘users’ table/model and admin controllers use ‘admins’
    table/model.

  2. have only a ‘users’ table and have a boolean column ‘admin’ in there
    (which in my case will have only 1 entry set to true in all the data
    rows).

I know that both are possible solutions but they both sound pretty scary
to me WRT security… am I just too worried? or are there better
commonly used methods?

Thanks!

3

Alan <rails-mailing-list@…> writes:

I know that both are possible solutions but they both sound pretty scary
to me WRT security… am I just too worried? or are there better
commonly used methods?

As mentioned, there is little (if any) difference WRT security.

However, when you have a choice of ways to do things, it’s usually best
to take
the one which most closely represents your application.

For example, if your admins are users with extra privileges, then one
idea would
be to have a users table and a roles table, with a has_many :through
relationship:

class User # id
has_many :privileges
has_many :roles, :through => :privileges
end

class Privilege # id, user_id, role_id
has_one :user
has_one :role

validates_uniqueness_of :user,
  :scope => :role,
  :message => "already has this role"

end

class Role # id
has_many :privileges
has_many :users, :through => :privileges
end

@role = Role.find_by_name(“Admin”)
Privilege.new(:user => @user, :role => @role)

If the logins are completely separate then use 2 tables and have
separate login
pages. In any case, a boolean field in your users table probably doesn’t
represent what you’re trying to do, and definitely isn’t extendable if
you want
to add more levels of user later on. However, it’s definitely easier to
deal
with and quicker to code, so it depends on how much you need this and
how long
you have.