I''m not looking for a complete solution, maybe just a nudge in the right direction? For example, rather than restricting users to certain classes (which seems to be the most common example give for Authorisation/authentication gems) how do I restrict a certain user to a single instance of a class? Say, for example I have a site for many authenticated/authorised Users: * These users are employed at different Companies, many of which might have multiple Offices. * Users employed at one company will never access details of another company or even be aware of their existence. I was wondering if nested resources or using the database structure was the way to go but I read that more than 2 nesting depths was very bad for site performance... Are there any gems/open source projects that make it simpler to establish this setup: eg: a single point of entry (on login page for any user) but then redirect them automatically to the Project list in the Company/Office they belong to? Thanks in advance for any advice you can give. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Michael Pavling
2011-Dec-16 13:38 UTC
Re: Noob looking for an approach to Memberships in Rails
On 16 December 2011 12:36, Jason Wells <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> I''m not looking for a complete solution, maybe just a nudge in the right > direction? For example, rather than restricting users to certain classes > (which seems to be the most common example give for > Authorisation/authentication gems)Which gems are you specifically referring to as being limited in this way? For instance, both CanCan and Aegis allow very complex permissions models to be defined with their DSLs, and I''m pretty sure the other main options do too. It''s only the most simple permissions-to-roles associations approaches that I''ve seen that by design give all users of the same role the same access to data. But any system that has a "permissions" model should allow you to define rules that are evaluated for each user (so that a user assigned to a company can only see orders for that company, etc). -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
You asked for a nudge, but I''ll push you off the cliff. First find some useful videos here: http://railscasts.com/?tag_id=25 http://railscasts.com/?tag_id=26 Then think about your structure, right now it seems like you have -Companies --Offices -Users There are always many logical join tables are, employment (linking to a company), and work_location (linking to an office, and therefore a company). Depending on your inevitable goals these many or may not be appropriate. Now you use one of the authentication and authorization methods to restrict controller access to whatever you want. On Dec 16, 7:36 am, Jason Wells <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> I''m not looking for a complete solution, maybe just a nudge in the right > direction? For example, rather than restricting users to certain classes > (which seems to be the most common example give for > Authorisation/authentication gems) how do I restrict a certain > user to a single instance of a class? > > Say, for example I have a site for many authenticated/authorised Users: > > * These users are employed at different Companies, many of which might > have > multiple Offices. > > * Users employed at one company will never access details of another > company or even be aware of their existence. > > I was wondering if nested resources or using the database structure was > the > way to go but I read that more than 2 nesting depths was very bad for > site performance... > > Are there any gems/open source projects that make it simpler to > establish > this setup: eg: a single point of entry (on login page for any user) but > then redirect them automatically to the Project list in the > Company/Office they belong to? > > Thanks in advance for any advice you can give. > > -- > Posted viahttp://www.ruby-forum.com/.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
I share your pain. The rails community seems to be mostly satisfied with role-based access control. However I needed a process whereby I could do group-membership-based access control. In my project, content (Posts, Uploads, Comments, etc.) needed to be protected on a group basis. After much searching I found a way using the CanCan gem and its "hash of conditions" capability. I described the solution in an answer to my own stack overflow question: http://stackoverflow.com/questions/8370654/what-are-the-options-for-group-membership-based-access-control-in-rails I''ve proven this approach in initial testing. Have yet to push it into scale testing or production, but CanCan seems to be a well-used gem. Hope this helps. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/v8kwIjur-B0J. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.