Search code examples
ruby-on-railsauthenticationdeviseauthorizationcancan

Using Devise/Cancan/Rolify together


I'm trying to set up an authorization/authentication system, and I'm getting confused, so I have a couple of questions:

  1. In a lot of tutorials, people set up a user/role HABTM relationship. I get that this allows for each user to have multiple roles, but if you want each user to only have one role, is this necessary? If I want to have options for "active" and "inactive" users, should those be roles or something else?
  2. In the Cancan wiki, it says if you want one user to have one role, you should just make it an attribute and then use "can :manage, :all if user.role == "admin"", but isn't that dangerous because each time "admin" is just a string? Does this matter? What's a better way to deal with this?

I've tried my best to read through the documentation for everything involved and I started with this tutorial

http://railsapps.github.com/tutorial-rails-bootstrap-devise-cancan.html

although I've also read http://starqle.com/articles/rails-3-authentication-and-authorization-with-devise-and-cancan-part-1/ and tonyamoyal.com/2010/09/29/rails-authentication-with-devise-and-cancan-part-2-restful-resources-for-administrators/

I just can't really get it to work the way that I want to. How do I do this?


Solution

  • 1. You do not need to multiple roles or a role table

    CanCan is agnostic to how you define roles in your application. You could just as easily have a role field in your user model.

    As for "active" and "inactive" users, you have two options. You could have a field for that status, or you could have an "inactive" role and consider any other role "active". This depends on what you mean by "active" and how you are using that information in your application.

    2. There is nothing wrong with storing a user's role in a string.

    The fact that the role is stored as a string doesn't make it less safe. You should, however, use attr_protected to prevent mass assignment of the user role.

    attr_protected :role
    

    That way, users won't be able to update their own roles.