Restful Roles

The Easiest Way to Implement Roles for Restful Authentication

Source on GitHub

I couldn’t find anything as hands-off as I’d like for managing roles with the restful_authentication plugin, so I made one.

What?

restful_roles sits on top of restful_authentication like a small child atop his father’s shoulders. Proud and triumphant, even though most of the accomplishment isn’t really his.

Quite simply, restful_roles is the easiest roles management you can possibly have. It assumes that your roles are sequentially more permissive. So if you’ve defined member, admin, and owner roles, admins can see all the member stuff, and owners can see everything.

How?

The Migration

Add to the user migration, or create a separate one. The important thing is to create a string field by the name of “role” in your users table.

class AddRoletoUser < ActiveRecord::Migration
  def self.up
    add_column :users, :role, :string
  end

  def self.down
    remove_column :users, :role, :string
  end
end

The Model

Add this to the model that is using restful_authentication:

# app/models/user.rb
has_roles ['member', 'admin', 'owner']

Any users you create will be the first role by default – Members in this case. Roles get more exclusive from left to right. Now you can do cool things like this:

# when the user's role is set to 'owner'
user.owner?  #=> true
user.admin?  #=> true
user.member? #=> true

# when the user's role is set to 'admin'
user.owner?  #=> false
user.admin?  #=> true
user.member? #=> true

# when the user's role is set to 'member' (default)
user.owner?  #=> false
user.admin?  #=> false
user.member? #=> true

Controllers

You can add role requirements to any controllers that use the login_required before_filter. require_role accepts a role, and an optional :only list.

Of course, you have to be a logged-in user to have a role, and so if you don’t use login_required for an action, then the role checking will never happen for that action. It works by hooking into restful_authentication’s authorized? method.

Catch-all
# app/controllers/widgets_controller.rb

before_filter :login_required
require_role 'admin'
</pre>

This requires Admin or greater privileges to use any action in the controller.

<h5>Only Some</h5>

<pre class="code">
# app/controllers/widgets_controller.rb

before_filter :login_required

require_role 'member', :only => [:index, :show]
require_role 'admin',  :only => [:new, :create, :edit, :update]
require_role 'owner'

In this case, you have to be at least a Member to see index/show pages, at least an Admin to see those plus the creation/updating pages, and only Owners can do anything else.

Except Some
# app/controllers/widgets_controller.rb

before_filter :login_required

require_role 'admin', :except => [:index, :show]

The above example requires Admin or greater privileges for everything except the harmless (in this case) index and show actions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: