Authorization model for Ruby on Rails

I am building a project management app and I am not sure which is the best/correct authorization model to implement given I am new to Rails (and programming in general). Here is what I am trying to do.

I want to be able to add a "client" to the application and then multiple projects to a client. I would like to be able to add users (that are essentially representatives of the client) to view that clients multiple projects but not other clients. I intend on having controllers for time tracking, notes, comments and images all to be associated with both clients and project of that client.

In addition, I would like to set up the account to control who is able to have one. I don't need the user to establish an account on their own.

Does that make sense?

Upvotes: 1

Answers (6)

sarahhodne

Reputation: 10116

I'd use AuthLogic for authentication (logging in users and making sure they are who they claim to be) and declarative_authorization for authorization (making sure they have access to resources). See Ryan Bates' excellent Railscasts on AuthLogic and restful_authentication for more info.

Upvotes: 0

Chirag Patel

Reputation: 5929

I have used Authorization plug-in in the past and like it because it gives some nice meta methods such as:

  user.is_eligible_for_what   --> returns array of authorizable objects for which user has role "eligible"
  user.is_moderator_of? group --> returns true/false
  user.is_moderator_of group  --> sets user to have role "moderator" for object group.
  user.is_administrator       --> sets user to have role "administrator" not really tied to any object.

There's also a brand new RailsCast on CanCan.

Upvotes: 1

auralbee

Reputation: 8841

The Ruby Toolbox gives you an overview of tools and their popularity in the rails community (rated by watchers and forkers on GitHub). As you can see there, the suggested plugins restful_authentication and authlogic are almost on the same level.

Upvotes: 2