I've got different roles on my RPG website. Each user can have many roles and based on this can access features. Let's say for instance a user is a teacher and director, he should access a page to manage his subjects and another to manage all the website.
Some people have more than 5 roles and it becomes really awkward to have 5 links to each office in the header. How can I have an action to include others based on roles ?
In fact, I want to show all the offices available for a user on a unique page including offices managed by single actions. How is this possible ?
Thank you in advance !
PS: Actions are in different controllers
If I got you right.
I think it sounds like a user's privilege problem. If it is, I recommend Ryan's gem "CanCan". It's super easy to use.
CanCan
And its Railscast: #192 Authorization with CanCan
Make a chain of command, with role-weights. The heaviest role merges a lot of somehow related small ones.
Try the Cancan gem which has a way of constraining database operations based on roles.
Example from docs:
#articles = Article.accessible_by(current_ability)
Related
App Attributes:
Rails 3.2, Mongoid, Devise, Elasticsearch
Basic Structure:
User has a Post
Post can be seen by other users
Situation:
A User wants to remove the post from being view-able by other users for a period of time.
Note
Eventually I would like to extend this capability so that its possible for said user to be able to make it only viewable to certain colleagues. This way they can collaborate on the post together.
Problem:
I can't seem to think of a good way in rails to do this. One idea I had was to create a Boolean field in the post model that would allow me to achieve some of this but the ACL's would tricky and unstable at best. So I'm reaching out to the great intelligence this should be cake for some of you.
The solution you suggest is the one that occurs to me. Place a boolean flag private on the Post model, and modify the code you use to fetch Posts to exclude ones with the flag set unless they belong to the current user, (depending on whether private posts are viewable by their owner in that particular context).
I haven't actually worked with Mongoid, but I believe this is as simple as Post.any_of({private: false}, {user_id: current_user.id})
If and when you implement the collaboration functionality you discuss, all you need to do is change that code again - fetch posts that are not private, or that belong to any one of a given set of users.
Theoretical question. Lets say I build an application for managing clients, products, bills and such. All without a user login.
Is it possible to get multi user (each one with his own clients,products,...) functionality after the main application is done?
Or should I think of the multi user in the first place? How flexible is rails at this part?
thanks in advance
dennym
What you are asking for is a pattern called Multitenant. There are different ways to do it, but none are provided by Rails natively.
You could start with this slide: http://www.slideshare.net/tardate/multitenancy-with-rails
And figure out if you want to do; partitioning based on data, Rbac, model or schema.
There are is one that offers it as a service that says that it is easy to do after you have your application: http://railskits.com/saas/
But in our experience, it was a bit outdated and missing some features that we wanted.
You can also take a look at other gems like: multitenant or act_as_tenant.
We ended up using act_as_tenant and doing it from the beginning.
I'm developing an application that will be used by teachers to manage student assignments and submissions. However, different schools have different standards for assignment submissions, grades, what students should and shouldn't be able to do. As such, I was looking to implement some flexible role management functionality into my application so that the teachers can decide exactly what privileges the user should and shouldn't be able to perform.
One quick solution to this might be to simply add some boolean fields to my User model that the teachers can manipulate by way of check-boxes and run a before_filter on the pertinent controller actions. Alternatively I could move the role definitions to a separate model belonging to the teachers and run the before_filter on that.
Before I try to implement either of those solutions I was wondering if there were any gems or plug-ins that already handle flexible user-managed role definitions?
Just as a side-note I'm using Devise for my authentication if that means anything.
I found this gem quite useful. https://github.com/EppO/rolify
And it has a way of easy integration with Devise and CanCan https://github.com/EppO/rolify/wiki/Tutorial
I have found lots of answers on StackOverflow but i'm kinda stuck on this one
I'll try first to describe with words what I have to do:
I have multiple applications, each application can have one or multiple profiles (one to many).
I also have users, who have access to each applications through the different profiles. Each profile can have multiple users (many to many).
up to here no problem, i can get all profiles a user has been granted.
However, the difficulty here is that for each profile coming from an application, the user has a username, specific to each applications. When i see the details of a user, i want to see a list of all the profiles he's in together with the username he has been assigned for each application...
I'm sure there an easy way to do this with rails, as usual, but i can't seem to find it. How would you do this ?
So to make sure I've got this: an Application can have many Profiles, and Users can have many Profiles. So this isn't a simple many-to-many relationship between Application and User because the Profile is a first-class object.
Rails handles simple many-to-many relationships with the has_and_belongs_to_many (HABTM) association, declared on the models on both ends. What's in the middle is unimportant and merely serves to join (relate) the two models.
Your case is more fun. Your many-to-many is described in Rails as "has_many :through", and I think your case is a very good example of such a case. In this case, Application and User each have many of the other through the Profile model. Profile isn't there just to link the two, it holds username, and probably many other details of the User's relationship with his/her Applications.
Start with this excellent guide which should show you how (and why) to choose has_many :through and how to get it all modeled and set up. This is (as you suggest) one of the absolutely brilliant capabilities of Rails.
I hope this is helpful.
I'm using devise for authentication and I'm looking for an authorization framework that lets me declare edit permissions for specific model attributes.
I have three different roles in my app: Teacher, Parent, and Student. The Student model belongs_to Family. When a Teacher creates a Student, they are able to set the Family association. When a Parent visits the edit page for a Student, however, they should not be able to change that association, only view it.
In the view, it's easy to alter the form depending on who is viewing it (disable or don't disable the family select input, for example) but a crafted form can get around that. What I need is something that will throw some kind of authorization exception when someone tries to change an attribute that they are not allowed to change.
I'm currently looking at declarative_authorization, but it seems it's not fine-grained enough to restrict changes to attributes, only the model as a whole.
I've ended up using the new MassAssignmentSecurity feature, although it looks like it might not work that great in conjunction with accepts_nested_attributes_for.
I realize my answer comes 2 years late. For what it's worth what you need is an authorization framework that is fine-grained enough.
XACML, the standard from OASIS provides just that. It can handle any number of attributes.
See my detailed answer here: Rails 4 authorization gem