2 roles, admin and user. Is using anything other than basic http auth overkill?

Question

I'm building my first website with rails,it consists of a blog, a few static pages and a photo gallery. The admin section has namespaced controllers. I also want to create a mailing list, collecting contact info, (maybe a spree store in the future too.)

Should I just use basic http authentication and check if the user is admin? Or is a plugin like authlogic better, then define user roles even though there would only be two; admin and user?

Answer 1

You can to do that. Authlogic or Devise made that for you.

Answer 2

Really it is just a matter of opinion and you'll have to do what is right for you.

Basically you just need to determine what your authentication(user logins etc.) needs are and your authorization(What a user can do) needs are.

I personally am a big fan of authlogic for authentication and Ryan from railscasts cancan authorization library:

http://github.com/ryanb/cancan

But again, it is really up to you, and if you use git, you can branch your app and try both. :D

Cheers!

Answer 3

Remember that you'd have to use HTTPS for the username/password to be encrypted when traveling over the wire.

Probably not a concern but something to be aware of.

Answer 4

Use rpxnow.com. Integrate with them once, and it will let users from Google, Yahoo, Microsoft, Facebook, etc log into your site.

The process is fairly simple:

1. Stick their javascript code on your login page.
2. Write a controller which RPXnow calls with a token for the authentication callback. This routine parses out the token, and makes a secure web call to rpxnow.com to get data about the user. Grab the email address, which is then authentic.
3. Since you now have an authentic email address, the user can be granted access to the inner part of your site.

If you use RPX for authentication, you don't have to write a "forgot my password" feature, or a "signup" feature with email confirmation. The identity provider does this.

Stackoverflow.com uses a similar scheme for authentication.

(This is based on the assumption that 99% of internet users have one of Google, Yahoo, Hotmail/Live, or Facebook).

Answer 5

To answer your comment to dustmoo: If adding authorization rules to your application "makes the views a mess" then you are not using authorization the right way. Which is, being declarative.

declarative_authorization will allow you to "separate" authorization concerns from your application.

There's also cancan, which is a little easier to set up, but has less functionality (you loose Model.with_permissions_to).

Answer 6

I also vote for authlogic + cancan.

The tutorial from Ryan are simple enough to follow which takes a few hours to set up the whole thing (even for newbies).

If you try to build your own authentication model (and I assume you do not have a lot of experience), the time spent in (re-)doing the whole thing (again and again) well justify the time spent to learn from the pros.

my 0.02

Answer 7

Definitely a subjective question and many correct answers. I wrote a blog post that should get you up and running with Devise for auth and CanCan for roles in about 30 minutes. Hope this helps: http://www.tonyamoyal.com/2010/07/28/rails-authentication-with-devise-and-cancan-customizing-devise-controllers/