Pundit vs Rolify two tier of roles

Question

I'm foraying back into Rails for a current project and am debating what auth gem to use. My challenge is though that there are two tiers of roles.

1. Organizational level role - think SaaS styled tiers where each Org may have access to a different set of features

2. User level roles - more traditional and what I've used pundit, cancancan etc for before.

The quirk here also though is a user can belong to many orgs. The current org a user is browsing is stored in the session dependent on certain URL params.

Can anyone share some code examples of authorizing both on an level level role as well as a feature role for the org?

E.g.

User A belongs to Org 123 and is an Admin they can create/update/delete Posts but cannot attach polls to a post

User B belongs to Ord 543 and is an Admin. They can create/update/delete posts and can create polls because their org has that feature.

Some people suggested using rolify for the org and pundit for users but I feel like there's an easier way to do this without using two separate systems.

Answer 1

Forgive me if I'm wrong, but I think you are misunderstanding the use case for Pundit and Rolify.

From what I understand, gems like Pundit and CanCanCan are intended to handle authorization, not roles. Similarly, Rolify does not handle authorization, but handles establishing roles for users.

If you don't think Rolify works for you, I would suggest creating your own role system. In my opinion, there's two main avenues for implementation:

1. Users can have a single role
2. Users can have multiple roles

By the sounds of it, you'd like to implement multiple roles for users. There's obviously many different methods to implement this, the most direct (but maybe insecure) approach being to add an array attribute on your user model, which stores different role types a user has.