Need help with design of a Rails 2 app having two partitions - ruby-on-rails

I have models A,B,C,D, etc. I have my usual controllers/views/helpers for each of these models. These are accessed by a set of content authors in a form based application to populate data into the db. The content authors will also have categories like authors, publishers, super admins etc. Essentially we have built out a mini content management system.
A set of other users (unrelated to the above set) need to access data in some of these models. But the view for those are totally different. I also do not want these users to have the edit screens for the models they are allowed to view. Essentially these guys are end users who use the application as a read only/analytics data store.
How do I accomplish this? Should I create separate controllers and invoke these models for the user website? How do I ensure the website users do not have access to the cms screens? Any pointers, design principles, routing methods, gems for such an application?

How do I accomplish this? Should I create separate controllers and invoke these models for the user website?
I would create a different set of controllers for the backend and frontend. I would move the backend controller to a namespace. More Information on namespaces: http://guides.rubyonrails.org/routing.html#controller-namespaces-and-routing
How do I ensure the website users do not have access to the cms screens? Any pointers, design principles, routing methods, gems for such an application?
For this you need some kind of authentication and authorization. Some examples:
authentication:
authlogic
devise
authorization:
cancan
declarative_authorization
aegis
acl9
There are some good screencasts on this matter:
Authlogic
Declarative Authorization
Authorization with CanCan
Introducing Devise
Customizing Devise

You need a layer of authentication.
The easiest way, and I'd say the most common one is to make separate controllers for each section, and add a before_filter method in each section authenticating and authorizing user to continue (usually a is_admin? method on the user model), or redirect back with an error message if the user is not allowed.
You can separate your controllers with namespaces (something like /admin/authors, /admin/books/1/edit and so on), and keep them RESTful this way.
If you need a more complex schema, you can use any of the authorization tools out there http://ruby-toolbox.com/categories/rails_authorization.html

Related

API-only Rails app with 'admin' and 'user' roles best practice

I am rebuilding a standard app in Rails (backend + rendering) and looking into creating API-only Rails backend and Node/React frontent.
I'm a little bit riddled on best practices here.
In my old app I had 2 devise models - User and Admin (admin was a separate namespace, so User would not have access to its controllers).
How would you recommend to implement sets of different controllers for admins and users?
Thanks
It always depends in the use case. If the admin has completely other tasks, it's better to create it's own namespace for them. If the admin does the same things as a normal user but with a bit more rights, I would handle the different authorization for both.
For example a user is only authorized to delete his own posts and a admin is allowed to delete all posts.

Rails, managing access of dashboard pages by models roles. Using devise

I am creating dashboard appliaction on Rails4. I have created model Partner with some data. I also have created a lot of models with views that will be associated to this Partner.
I can edit data of all models without any restrictions. Now I want to create Admin, that will login to my app and will manage data. Admins will be added via console and it does not need registration.
Also I want to make Partners to login/register too. Partners can only open pages that are connected to their data and edit them.
Here my questions depending on this situation:
How to remove registration element from Admins not affecting to Partners?
How to restrict Partners to only their own pages while Admins can be everywhere?
Is it good approach to make Admins and Partners to edit data on same dashboard, or I need to create different controllers with different views for Admins and Partners separately?
You should be able to do everything you're discussing by using a gem for handling authorization ( authority ) and one for roles ( rolify )
https://github.com/nathanl/authority
https://github.com/RolifyCommunity/rolify
You shouldn't have to create distinct views/controllers, however, depending on how divergent they are it may be appropriate. You should be able to do most of that logic by using logic to switch based on the permissions you set up.
current_user.can_edit?(page)
within the Authorization setup, you would have to determine who can edit/view/create/etc. There's a good writeup for doing this in the authority wiki.

Best authentication for modular Rails project

I'm still learning Rails, but faced with this project: Web solution should consist of three parts - the website, section for partners and admin panel. Section for partners and admin panel should be available as subdirectories (customer's requirement) like this:
somesite.com
somesite.com/partners/
somesite.com/admin/
I decided to make three separate applications with common models and business logic and deploy them in mentioned way using Passenger and Apache.
In the database should be two models: Admin (for administrators only) and User (quite fat model, common for users and partners, differs by is_partner field). Because those models are common to all three sites, I decided to put them in the Rails Engine, and then use appropriate model for each application. But now I have the issue of choosing the suitable authentication module.
Could you advice one? Should I try to use some already existing solution or I better have to implement my own authentication? Or may be my entire approach to this project is wrong from beginning?
Thank you.
I would use one User model, since you won't need to duplicate any logic, and use three roles: user, partner, and admin, unless admins are drastically different from other users. For authentication, I would suggest Devise, which is the go-to authentication system for Rails. For authorization, I would suggest CanCan.
If you're looking for a pre-made admin interface, try RailsAdmin or ActiveAdmin. RailsAdmin is simple to use and easily configurable, but not too customizable, while ActiveAdmin is a little more difficult to use but more customizable. Both of them are integrated with devise.

Rails Design Question: How should I structure my controllers for multiple privilege levels?

I am writing a site with multiple levels of privileges. There are basically 3 kinds of users in my system. They are Admin, Business, and Consumers (normal users). Let's just say that I am building an advertising site.
So I have a model "Campaign" which has a RESTful API that comes with rails scaffold. Businesses can create campaigns, users can only see which campaigns they want to join, and admins can do everything.
Now, I know how to apply before_filter and check rigorously for the type of users that can access a particular view.
However, each level of privilege has its own unique views.
Businesses can see the insights and analytics of their campaigns. (let's call this campaigns/analytics)
Consumers can see all the campaigns that they have participated in. (let's call this campaigns/your)
And admins have special views where they can monitor the site's activity. (let's call this campaigns/monitor_businesses).
Right now, my CampaignController has the usual RESTful views + analytics + your + monitor_businesses. Of course, I have multiple data models (not just campaigns) and this makes my RESTful controllers for those data models to be really messy.
What should I do? I am seriously considering starting a ConsumerController and then a BusinessController and put all associated views in these controllers. I don't know if this violates "RESTful" principles but I want to know what better patterns exists to deal with my problem.
I am open to all kinds of suggestions.
Why dont you try the CanCan gem for role management?
You can install as you would any gem using bundler.
It is easy to set up and keeps you from creating the same boilerplate code that you normally would by creating extra controllers or actions.
To get you started I suggest that you visit the documentation on the main page. There is more information about defining what a user can do here and you can see how to check for abilities here.
You also need to add one line to controllers you want to enforce permissions on which you can read about here.
If the standard documentation isnt enough to get you started why don't you take a look at Railscast 192. It shows you how to get up and running with CanCan and it is a great source because Ryan Bates is the creator of the screencast as well as the creator of CanCan. If the video moves too fast for you there is a text version here.
y dont you try the cancan gem for role management http://rubygems.org/gems/cancan
or do gem install cancan I hope this helps.

What is the best way to securely add administrative access to my rails website?

I think the answer is an admin login and then check if the user has an admin flag, but I also thought of some other related questions.
Is it better to have an admin flag (attr_protected) in the same user table as non admins? or should i have an admin users table?
Should I create a separate rails application for the admin users? This might be overkill since they will both have to access the same datbase (not to mention it might be a huge pain to set up).
Any other suggestions? Right now I just need to secure a page or two so I even looked into HTTP basic or digest authentication as a temporary measure (the protected content is actually not THAT private/important). But... I don't know how to implement HTTP auth for specific actions, I have only seen how to implement it to prevent directory access.
Any direction and discussion would be great. I am sure other Stack Overflow users will benefit from this discussion.
Thanks!
Ryan Bates has a great three part series of Railscasts on this topic which should give you some food for thought:
Part 1: Where Administration Goes
Part 2: Restricting Access
Part 3: Super Simple Authentication
There are also three Railscasts on different authentication techniques:
RESTful Authentication
HTTP Basic Authentication
Authlogic
I'm using restful_authentication plugin for this purpose. And it is very simple to restrict access to any controller or any method. On example in controller add this function:
private
def authorized?
user.admin?
end
or
private
def authorized?
user.admin? if update? || create?
end
I defined admin? method in my User model. I also created update? and create? methods that check which action was called. In restful_authentication authorized? method is always run when accessing controller.
I would put everything in one application and in one table (don't create users and admin table). You can secure admin flag in your users controller by allowing to set this value only for existing admin users.
I think it depends on the type of administration.
If the view your administrators will have of the site is the same as a normal user's, but with additional privileges, I would go with an admin flag. (Or, as your needs expand, a full-fledged roles table.) This is a situation where everybody sees the same stuff, but administrators have access to various actions (delete? edit? ban? etc.) that normal users do not.
If the view your administrators need is wildly different than the normal site, I would recommend a completely separate Rails app that accesses the same database. For example, if your "administrators" are really help desk employees that are going to answer phone calls or deal with billing questions, they may have completely different views of the database (and perhaps ways to edit the data) that aren't available in the regular application.
The disadvantage to having multiple sites is that it is possible to have models (validations, associations, etc.) get out of sync. The disadvantage to having a single site is that you may end up inserting all sorts of ugly "if-admin" code in previously easy-to-understand portions of your site. Which problem is easier to handle depends on your requirements.

Resources