Rails 3 Dynamic User Roles/Access Levels - ruby-on-rails-3

I'm developing an application that will be used by teachers to manage student assignments and submissions. However, different schools have different standards for assignment submissions, grades, what students should and shouldn't be able to do. As such, I was looking to implement some flexible role management functionality into my application so that the teachers can decide exactly what privileges the user should and shouldn't be able to perform.
One quick solution to this might be to simply add some boolean fields to my User model that the teachers can manipulate by way of check-boxes and run a before_filter on the pertinent controller actions. Alternatively I could move the role definitions to a separate model belonging to the teachers and run the before_filter on that.
Before I try to implement either of those solutions I was wondering if there were any gems or plug-ins that already handle flexible user-managed role definitions?
Just as a side-note I'm using Devise for my authentication if that means anything.

I found this gem quite useful. https://github.com/EppO/rolify
And it has a way of easy integration with Devise and CanCan https://github.com/EppO/rolify/wiki/Tutorial

Related

Filtering queries by by user and role / scoping data

I am using ABP Commercial to implement a custom CRM system. I am looking for an example, a best practice, a library, or even a framework for scoping data according to user IDs and roles.
Simple scoping like just showing entities created by a certain user is fairly straightforward. But what about showing increasingly more broad data based on a hierarchy of user roles.
For example, I might have a basic user role that can only see data created by the user in that role. Then, I might have a manager role that can see his own data and all the data created by the basic users he manages. Contemplating any decent size organization, you can see how this hierarchy might get quite deep.
So can anyone tell me whether there is a facility or module within ABP Commercial or ABP Framework to facilitate this kind of pattern or if there is third party best practice, library, or framework that might work in conjunction with my code to realize this functionality?
In the past I have written my own implementations but I am looking for a DDD or clean architecture based solution.
EDIT
A more specific example of what I'm trying to do is to create an extension of the user class and role class or to add additional entities managed by a domain service that would allow for:
users to have a collection of roles they manage and a collection of specific users they manage, and…
roles to have a collection of other roles they manage (think composite pattern)
These relationships would be used to filter all kinds of queries within my application.
Here are some use cases:
return a list of contacts associated with the clients of my direct reports
return a flattened list of all users managed by me or my reports
return the total revenue of all sales made by users managed by me or my reports

Rails 3 - Many to Many - How would you do?

I have found lots of answers on StackOverflow but i'm kinda stuck on this one
I'll try first to describe with words what I have to do:
I have multiple applications, each application can have one or multiple profiles (one to many).
I also have users, who have access to each applications through the different profiles. Each profile can have multiple users (many to many).
up to here no problem, i can get all profiles a user has been granted.
However, the difficulty here is that for each profile coming from an application, the user has a username, specific to each applications. When i see the details of a user, i want to see a list of all the profiles he's in together with the username he has been assigned for each application...
I'm sure there an easy way to do this with rails, as usual, but i can't seem to find it. How would you do this ?
So to make sure I've got this: an Application can have many Profiles, and Users can have many Profiles. So this isn't a simple many-to-many relationship between Application and User because the Profile is a first-class object.
Rails handles simple many-to-many relationships with the has_and_belongs_to_many (HABTM) association, declared on the models on both ends. What's in the middle is unimportant and merely serves to join (relate) the two models.
Your case is more fun. Your many-to-many is described in Rails as "has_many :through", and I think your case is a very good example of such a case. In this case, Application and User each have many of the other through the Profile model. Profile isn't there just to link the two, it holds username, and probably many other details of the User's relationship with his/her Applications.
Start with this excellent guide which should show you how (and why) to choose has_many :through and how to get it all modeled and set up. This is (as you suggest) one of the absolutely brilliant capabilities of Rails.
I hope this is helpful.

Rails 3 : How to include actions based on roles?

I've got different roles on my RPG website. Each user can have many roles and based on this can access features. Let's say for instance a user is a teacher and director, he should access a page to manage his subjects and another to manage all the website.
Some people have more than 5 roles and it becomes really awkward to have 5 links to each office in the header. How can I have an action to include others based on roles ?
In fact, I want to show all the offices available for a user on a unique page including offices managed by single actions. How is this possible ?
Thank you in advance !
PS: Actions are in different controllers
If I got you right.
I think it sounds like a user's privilege problem. If it is, I recommend Ryan's gem "CanCan". It's super easy to use.
CanCan
And its Railscast: #192 Authorization with CanCan
Make a chain of command, with role-weights. The heaviest role merges a lot of somehow related small ones.
Try the Cancan gem which has a way of constraining database operations based on roles.
Example from docs:
#articles = Article.accessible_by(current_ability)

Correct way of applying REST in Rails 3 many User Types

I want to apply REST to my Rails 3 application.
I understand the basics but am still a NOOB and would like some help or advice if this is correct.
I have a USER model. However I have three kinds of User, as in they have different roles in the application.
When I create say the Celebrant I need to do other things in the create action that are different then the things I need to to for the Manager which is again different from what I need to do for the Participant.
So I was thinking of creating three resources.
1.Celebrant - new create only
2.Manager -new create only
3.Participant. -new create only
This way I can have the three REST NEW and CREATE actions that are different from each.
Is this the best way to go about this?
A couple of thoughts…
1. DRY
If Celebrant, Manager, and Participant all extend User, then it's best to have 1 controller. Most of the code will be the same between the 3 controllers otherwise.
2. Fat Models, Skinny Controllers
The controllers just pass parameters to models, so really you should only have to call 1 method on the model in the controller, like User.create. This makes it so your controllers don't perform any logic, so you don't need 3 separate controllers.
Check out the inherited_resources gem to pretty much remove all code from your controllers.
Doing it like this, you handle what happens before/after create in each of your User model subclasses.
3. Using a Role model instead of User subclasses
I ran into your exact problem before. I started with 3 user classes. But I quickly wanted to do more with the roles, add more, blur the lines, etc. By having 1 User model which has_many :roles (there's role plugins out there), you can handle all your custom logic in your save callbacks in the user model based on roles. Now your controller is lean, and you don't have to manage 3 classes.
Hope that helps.

Attribute level authorization in Rails 3

I'm using devise for authentication and I'm looking for an authorization framework that lets me declare edit permissions for specific model attributes.
I have three different roles in my app: Teacher, Parent, and Student. The Student model belongs_to Family. When a Teacher creates a Student, they are able to set the Family association. When a Parent visits the edit page for a Student, however, they should not be able to change that association, only view it.
In the view, it's easy to alter the form depending on who is viewing it (disable or don't disable the family select input, for example) but a crafted form can get around that. What I need is something that will throw some kind of authorization exception when someone tries to change an attribute that they are not allowed to change.
I'm currently looking at declarative_authorization, but it seems it's not fine-grained enough to restrict changes to attributes, only the model as a whole.
I've ended up using the new MassAssignmentSecurity feature, although it looks like it might not work that great in conjunction with accepts_nested_attributes_for.
I realize my answer comes 2 years late. For what it's worth what you need is an authorization framework that is fine-grained enough.
XACML, the standard from OASIS provides just that. It can handle any number of attributes.
See my detailed answer here: Rails 4 authorization gem