tags:

views:

27

answers:

2
Q: 

How do I add a user model to my application so data is "user" specific in my Rails app.

Hi, looking to see if there are some ideas on how I should introduce the idea of a logged-in "user" that effectively 'federates' the data....let me explain.

I have been building my app so far as if there is only one user. Me. All the data and reports are specific to me. I just added authlogic.

I now want to be able to introduce a way for a new user to log in, not see any of my data, and use the application. And eventually to pay to use the system.

So far, my assumption is I'd have to go into the models and add a user_id to pretty much each of them, and then go to all controllers and have them search by user.

But I am wondering if there are gems, suggestions, ideas of a better way to federate the data for each user.

Oh...I may want to enable more than one user to have access to some or all of the data belonging to another user. This is for small teams of sales people that may want to share.

So...ideas before I try fumbling around myself...thank you :)

A: 

What you're talking about is called ACL (access control lists). There are a number of plugins for Rails that will do the bulk of the work for you. Google around and see if you can find one that fits your needs.

Edit: After taking a quick look, Acl9 seems to be the most popular Rails 3 compatible one.

Jimmy Cuadra  2010-10-16 06:36:16
Not... really. ACL has more to do with restricting access to certain parts of the system, or controllers/actions in Rails-speak. Think "user 1 is an admin and can view, edit and delete other users," while "user 2 can list other users but not edit them" and "user 3 can't even see the users list." Angela, on the other hand, want all users to be able to access the same controllers and actions, but view different data.
vonconrad  2010-10-16 12:22:08
that's right -- want same controllers and actions, but different data.
Angela  2010-10-16 18:14:09
Ah, okay. I know what ACL is, I just misinterpreted what she was asking.
Jimmy Cuadra  2010-10-17 07:37:00
+2  A: 

You've got the right idea. You have to make relationships between users and the data models. In some cases, it might be a simple belongs_to :user, but if you want multiple users to access certain data, it's going to have to be a many-to-many relationship has_and_belongs_to_many :users.

Then, we simply change the way we fetch data:

# Some controller, no restrictions
def index
  @reports = Report.all
end

def view
  @report = Report.find(params[:id])
end

# Some controller, with restrictuons
def index
  @reports = current_user.reports.all
end

def view
  @report = current_user.reports.find(params[:id])
end

Using the above logic, users will only see whatever data they have a relationship to.

It's probably going to be a little bit of work if you've already created most of the application, no doubt. What you have to be really, really, really careful with is not leaving any Report.all or Report.find(params[:id]) lying around, as that can lead to vulnerabilities--users would be able to access data that isn't actually theirs.

vonconrad  2010-10-16 12:31:06
sigh -- thanks for the code-specifics, that's what Iw as looking for...hoping to find a silver bullet, but that's cool....
Angela  2010-10-16 18:14:33
So does User have to has_many for *all* objects or should I try to find a way to find a single top-level object? Seems more work to do every object, but probably more secure?
Angela  2010-10-23 03:24:36

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.