The Easiest Way to Implement Roles for Restful Authentication
I couldn’t find anything as hands-off as I’d like for managing roles with the restful_authentication plugin, so I made one.
restful_roles sits on top of restful_authentication like a small child atop his father’s shoulders. Proud and triumphant, even though most of the accomplishment isn’t really his.
Quite simply, restful_roles is the easiest roles management you can possibly have. It assumes that your roles are sequentially more permissive. So if you’ve defined member, admin, and owner roles, admins can see all the member stuff, and owners can see everything.
Add to the user migration, or create a separate one. The important thing is to create a string field by the name of “role” in your users table.
class AddRoletoUser < ActiveRecord::Migration def self.up add_column :users, :role, :string end def self.down remove_column :users, :role, :string end end
Add this to the model that is using restful_authentication:
# app/models/user.rb has_roles ['member', 'admin', 'owner']
Any users you create will be the first role by default – Members in this case. Roles get more exclusive from left to right. Now you can do cool things like this:
# when the user's role is set to 'owner' user.owner? #=> true user.admin? #=> true user.member? #=> true # when the user's role is set to 'admin' user.owner? #=> false user.admin? #=> true user.member? #=> true # when the user's role is set to 'member' (default) user.owner? #=> false user.admin? #=> false user.member? #=> true
You can add role requirements to any controllers that use the login_required before_filter. require_role accepts a role, and an optional :only list.
Of course, you have to be a logged-in user to have a role, and so if you don’t use login_required for an action, then the role checking will never happen for that action. It works by hooking into restful_authentication’s
# app/controllers/widgets_controller.rb before_filter :login_required require_role 'admin' </pre> This requires Admin or greater privileges to use any action in the controller. <h5>Only Some</h5> <pre class="code"> # app/controllers/widgets_controller.rb before_filter :login_required require_role 'member', :only => [:index, :show] require_role 'admin', :only => [:new, :create, :edit, :update] require_role 'owner'
In this case, you have to be at least a Member to see index/show pages, at least an Admin to see those plus the creation/updating pages, and only Owners can do anything else.
# app/controllers/widgets_controller.rb before_filter :login_required require_role 'admin', :except => [:index, :show]
The above example requires Admin or greater privileges for everything except the harmless (in this case) index and show actions.