Hi, My app has a users table. It also has an administrator interface on <www.mysite.com>/admin There are going to be many (i hope) users for the site, and only 1 or 2 admins. This is all pretty common I assume. so... What is the best practice for admin access for web applications? for example: 1) have a ''users'' table and a separate ''admins'' table. normal app controllers use ''users'' table/model and admin controllers use ''admins'' table/model. 2) have only a ''users'' table and have a boolean column ''admin'' in there (which in my case will have only 1 entry set to true in all the data rows). I know that both are possible solutions but they both sound pretty scary to me WRT security... am I just too worried? or are there better commonly used methods? Thanks! -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I''m not sure what your security concerns are - neither of these methods really affect the security of your application which is really handled in the authentication of these users. But, I would think that option 2 is going to provide you with the least amount of headaches - managing two separate user models would be a lot of trouble for not much value. c. Alan wrote:> Hi, > > My app has a users table. It also has an administrator interface on > <www.mysite.com>/admin > There are going to be many (i hope) users for the site, and only 1 or 2 > admins. This is all pretty common I assume. so... > > What is the best practice for admin access for web applications? > > for example: > > 1) have a ''users'' table and a separate ''admins'' table. normal app > controllers use ''users'' table/model and admin controllers use ''admins'' > table/model. > > 2) have only a ''users'' table and have a boolean column ''admin'' in there > (which in my case will have only 1 entry set to true in all the data > rows). > > I know that both are possible solutions but they both sound pretty scary > to me WRT security... am I just too worried? or are there better > commonly used methods? > > Thanks!-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Alan <rails-mailing-list@...> writes:> I know that both are possible solutions but they both sound pretty scary > to me WRT security... am I just too worried? or are there better > commonly used methods?As mentioned, there is little (if any) difference WRT security. However, when you have a choice of ways to do things, it''s usually best to take the one which most closely represents your application. For example, if your admins are users with extra privileges, then one idea would be to have a users table and a roles table, with a has_many :through relationship: class User # id has_many :privileges has_many :roles, :through => :privileges end class Privilege # id, user_id, role_id has_one :user has_one :role validates_uniqueness_of :user, :scope => :role, :message => "already has this role" end class Role # id has_many :privileges has_many :users, :through => :privileges end # ... @role = Role.find_by_name("Admin") Privilege.new(:user => @user, :role => @role) # ... If the logins are completely separate then use 2 tables and have separate login pages. In any case, a boolean field in your users table probably doesn''t represent what you''re trying to do, and definitely isn''t extendable if you want to add more levels of user later on. However, it''s definitely easier to deal with and quicker to code, so it depends on how much you need this and how long you have. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---