I have 2 roles
1. user
2. Gatekeeper
my database is like this
table:spree_roles_users
fields:
role_id
user_id
Both users and gatekeeper have rights to create new visitor,
but on index page it should display visitors which are entered by gatekeeper only
so how to check role of user_id
example:
There is a society say "My society"
There are 5 users who are registered from My society ,3 users have "User" role, 1 user have "admin" role, and 1 user has "Gatekeeper" role.
All 5 of them can save Visitors form, but in index page,only those visitors should b visible which are entered by person with "Gatekeeper" role.
So how to check Id_user with spree_roles_users
so visitors entered by Gatekeeper should b visible
I think you might be more interested in Solidus (a fork of Spree) which has received a lot of work pertaining to permissions inside of Spree. The permissions are managed by CanCan and you can find them located inside of permission helpers.
https://github.com/solidusio/solidus/tree/master/core/lib/spree/permission_sets
Spree is not that mature when discussing permissions...
Related
I am trying to create a web application using ruby on rails. In this application a user has multiple roles like
role1 = teacher
role2 = student
role3 = staff
But the thing is a user can switch between these roles by changing account settings in the application.
eg :
Student can also change his role as teacher and then they can teach someothers
When they change the role the pages, timeline, homepage everything should be display according to their current role.
How can i model the database for this and how can i perform the associations for this ?
I am new to ruby on rails so please help & thanks in advance!
Ofcourse! you can keep track of current user and then you assign user role when they switch.
If not you can also use rolify gem to add or remove roles and [cancan][3] gem for authorization.
You could keep a list of user roles and also track something called a current role.
I'm trying to setup roles in my rails app with Rolify.
I have a CRUD model setup for roles. I'm about to start exploring how certain users can assign scoped roles to other users.
Is there a way I can allow users who are permitted to assign roles, to specify a renewal date, by which they need to confirm that the user is continuing in that role?
At the moment, my roles table only has associations to resource and user, and a string attribute called :name (for the name of the role).
Can I add a boolean for true/false on whether the role has an expiry date, and if it does, when a renewal notice should be issued?
Is there a better way to go about this?
This can be good idea:
Create a table for roles and permission.
add a field has_expired in that table.
When you save permission set expiry date.
When user logins test expire date.
Then set has_expired to true
If you are using cancancan gem then in ability.rb model:
if user.role.has_expired?
cannot :manage, Role
end
Hope it helps
I am working on a Rails app where the data model involves the following:
Companies, which have_many Restaurants
Restaurants, which have_many Reservations
Customers, which mave_many Reservations
My confusion comes from the fact that there are 3 distinct types of users:
An employee of the Company, who can see an admin dashboard showing data on all of the restaurants that company owns/manages
The restaurant itself (which will, in theory, have their dashboard open all day, and should be able to log into their own dashboard, but not be able to see any other restaurant's dashboard)
The customer, who has a UI to make a reservation at a certain restaurant
Should the Restaurant be a type of User?
Should each restaurant just get it's own standard user-login to access their specific restaurant? If this is the case, would a Restaurant have_one User, and I can use something like CanCanCan to restrict Users so that they can only access a Restaurant where the Restaurant's ID == User.restaurant.id?
This is my first app that addressed atypical User types, so I'm at a complete loss on this. Any guidance/best practices on how to address a situation like this would be much appreciated!
Additionally, I would like to use Devise for the User model(s). Thanks!
I would say, first of all, that it is only ever a User that is actually logging into your website. A restaurant can't log into a website. A user who is a representative of the restaurant can log in. Therefore the restaurant should not be a type of user.
A better fit is to give your users roles, and have one of the roles be "restaurant_manager" or something. These users would naturally be associated with the restaurant too, so your code could look something like
if current_user.role == "restaurant_manager"
#show extra links for the restaurant admin section
elsif current_user.role == "company_manager"
#show extra links for the company admin section
or something along those lines, and, like you suggest, you make sure that a user can only ever access their own restaurant/company in the restaurant/company admin sections.
Hi I'm using rolify and have just realized that I'm not actually taking advantage of it's full potential.
At present I am doing things in my controller like re-routing users if current_user.has_role? :whatever_role, and allowing users if they have whatever other role...
Someone asked a question on stackoverflow about rolify and when I got to trying to answer it, I realized that I'm doing it wrong.
Now, here is where my confusion starts... Inside of ability.rb I have:
user ||= User.new # guest user (not logged in)
if user.has_role? :consumer
can :manage, Review
else
can :read, Review
end
Now let's say I add the consumer role to a user:
x=User.last
x.add_role :consumer
# => #<Role id: 10, name: "consumer", resource_id: nil, resource_type: nil, created_at: "2013-04-18 23:00:46", updated_at: "2013-04-18 23:00:46">
Right, so the role is created. I can check this by doing:
x.has_role? :consumer
=> true
Now I would expect this to give management ability for reviews...
x.has_role? :consumer, Review
=> true
but not for other models... here I try products
x.has_role? :consumer, Product
=> true
Further, when I look at "resource roles querying" and try to query the applied roles for reviews I find no applied roles:
Review.first.applied_roles
=> []
Can someone please explain rolify to me. Thanks
My answer, garnishing the question from this reddit post:
Authentication is establishing a User is who they claim to be.
Authorization is establishing that a User can perform a given action, be it reading or writing, after they've established their identity.
Roles are just common patterns of authorization across users: this User can be authorized as such, that User can be authorized like this instead.
The ingredient you're missing here is Permissions: a relationship between an established Role and some controller action.
Roles themselves make no promises about what action a User can perform. And remember--authorization is all about actions. Roles generalize what kind of User you're dealing with. They exist to keep you from having to query every User for a giant laundry list of Permissions. They declare: this User is a Role! Of course they have Permission to do that!
There are many types of Permission. You can store them in a database if you want your sufficiently authorized Users to be able to edit them, along with your Roles if those too ought to be configurable. Or, if your User's Roles are sufficiently static, you can manage Permissions in advance with Ruby code:
When I want to have configurable Roles and Permissions, i.e. for a client application you're handing off to someone at completion of contract, I implement a User :has_many Roles and a Role :has_many Permissions with my own custom models, and then add a before_filter :authorize hook into my ApplicationController, and write an authorize method on it that knows how to martial these expectations, or render a 403 page for those people who insist upon manually entering urls to things they hope expose actions to things they oughtn't have access to.
When I want to just have configurable Roles, I use Ryan Bates' CanCan gem.
When I want to have predetermined Roles and Permissions, I use Rolify in conjunction with Nathan Long's Authority, to get delightfully flexible Class-based Permissions via Authorizer classes.
Both Roles and Permissions can be either class-based or instance-based, depending on your use-case. You can, say, with the abilities of rolify you've just discovered, decide that Users may only act as a Role in certain, instance-based circumstances. Or, general Roles of User may only be able to execute an action given the object they are trying to action is of a certain type.
To explore the permutation of these, assuming a blog application, following the formula
a User who is a/an Role class/instance can action a/an/all/any/that (class/instance) Permission:
Role class and Permission class:
A User who is an Admin can delete any Post.
Role class and Permission instance:
A User who is an Admin can edit all Posts that they approved to be published
This would be easier if published posts had an approved_by field pointing to a User id. (Use a state machine gem for this sort of situation.
Role instance and Permission class:
A User who is an Author of a Post can comment on any Post
Note that this sort of situation is rare, which is why there are no gems I've mentioned above to handle this situation, except for perhaps the ability to manage predetermined circumstances like Rolify and Authority in conjunction; or, if you must pass this decision on to your client, your own custom solution.
Role instance and Permission instance:
A User who is an Author of a Post can edit that Post.
TL;DR:
Rolify is just for roles: grouping Users by Permission: access to a controller action. You have yet to decide how you are going to manage Permissions.
I hope this helps your understanding of Rolify's position in the grand scheme of authentication and authorization!
A user could create a "group", which other users could join in. Each group has its own admin and moderators so on and could do something like creating posts, inviting users, etc.
I think "has_many through" should be used here, but not sure about the authorization, since the role is based on different groups. The roles set up in CanCan seem not fit into it, admin is just for one group, not the whole site.
Seems like confusion between a user and its role.
A "Group" has many "users". A "user" has one (or more) "role(s)" (admin) toward a group "ALPHA". A "user" might have another role ("listener") on another group "DELTA".
Admin is a role, Moderator and listener are roles just the same.
You have to create role like user.is_admin_of?(GroupObject) so first step is create role https://github.com/timonv/rollable