Dynamic roles and permissions system in Rails app
If you like CanCan, then I think is best to use it. Here is a short tutorial about storing abilities in database so non-programmers can update them:
https://github.com/ryanb/cancan/wiki/Abilities-in-Database
If you really, really want to implement such system yourself. Depending on your needs, I will suggest for you to implement it as simple as possible.
In the case you need only users to have access to modules(certain controllers). You can do:
Store all users permissions in just like serialized fields -> http://apidock.com/rails/ActiveRecord/Base/serialize/class
class User serialize :permissions, Array
def access_to?(module) permissions.include? module.to_s end end
some check when setting this field would be nice.
Just make a check on top of every controller if the current user have access to this controller(section)
class ApplicationController private
def self.require_access_to(module) before_filter do |c| unless c.send(:current_user).try :access_to?(module) c.send :render_no_presmissions_page end end end
end
class AdminNewsController require_access_to :news end
Of course this is just a start position, from where you can easily evolve.
[EDIT The link given by @RadoslavStankov is a better answer than this.]
You can do it with CanCan easily. Just make a model for permissions (which has_and_belongs_to_many :users
), and in your Ability#initialize
load the permissions appropriate to the user from the model and say that the user can
do them. Then make appropriate user interface for administrating that model.
Something like this:
class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new
user.permissions.each do |permission|
can permission.symbol, permission.scope
end
user.prohibitions.each do |permission|
cannot permission.symbol, permission.scope
end
end
end
where scope
returned something like :all
for nil
scope, or Object.const_get(@scope_name)
otherwise... Play with it. Anyway, it's doable.
More complex CanCan things are likely to be more complex (duh) - for example conditional permissions - but that would be a bitch to administer as well, so I think this should be enough for most applications.