Dynamic roles and permissions system in Rails app

If you like CanCan, then I think is best to use it. Here is a short tutorial about storing abilities in database so non-programmers can update them:

https://github.com/ryanb/cancan/wiki/Abilities-in-Database

If you really, really want to implement such system yourself. Depending on your needs, I will suggest for you to implement it as simple as possible.

In the case you need only users to have access to modules(certain controllers). You can do:

  1. Store all users permissions in just like serialized fields -> http://apidock.com/rails/ActiveRecord/Base/serialize/class

    class User serialize :permissions, Array

    def access_to?(module) permissions.include? module.to_s end end

some check when setting this field would be nice.

  1. Just make a check on top of every controller if the current user have access to this controller(section)

    class ApplicationController private

    def self.require_access_to(module)
       before_filter do |c|
         unless c.send(:current_user).try :access_to?(module)
           c.send :render_no_presmissions_page
         end
       end
    end
    

    end

    class AdminNewsController require_access_to :news end

Of course this is just a start position, from where you can easily evolve.


[EDIT The link given by @RadoslavStankov is a better answer than this.]

You can do it with CanCan easily. Just make a model for permissions (which has_and_belongs_to_many :users), and in your Ability#initialize load the permissions appropriate to the user from the model and say that the user can do them. Then make appropriate user interface for administrating that model.

Something like this:

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new
    user.permissions.each do |permission|
      can permission.symbol, permission.scope
    end
    user.prohibitions.each do |permission|
      cannot permission.symbol, permission.scope
    end
  end
end

where scope returned something like :all for nil scope, or Object.const_get(@scope_name) otherwise... Play with it. Anyway, it's doable.

More complex CanCan things are likely to be more complex (duh) - for example conditional permissions - but that would be a bitch to administer as well, so I think this should be enough for most applications.