What is the best way to securely add administrative access to my rails website?

Question

I think the answer is an admin login and then check if the user has an admin flag, but I also thought of some other related questions.

Is it better to have an admin flag (attr_protected) in the same user table as non admins? or should i have an admin users table?

Should I create a separate rails application for the admin users? This might be overkill since they will both have to access the same datbase (not to mention it might be a huge pain to set up).

Any other suggestions? Right now I just need to secure a page or two so I even looked into HTTP basic or digest authentication as a temporary measure (the protected content is actually not THAT private/important). But... I don't know how to implement HTTP auth for specific actions, I have only seen how to implement it to prevent directory access.

Any direction and discussion would be great. I am sure other Stack Overflow users will benefit from this discussion.

Thanks!

Answer 1

I'm using restful_authentication plugin for this purpose. And it is very simple to restrict access to any controller or any method. On example in controller add this function:

private
def authorized?
  user.admin?
end

or

private
def authorized?
  user.admin? if update? || create?
end

I defined admin? method in my User model. I also created update? and create? methods that check which action was called. In restful_authentication authorized? method is always run when accessing controller.

I would put everything in one application and in one table (don't create users and admin table). You can secure admin flag in your users controller by allowing to set this value only for existing admin users.

Answer 2

Ryan Bates has a great three part series of Railscasts on this topic which should give you some food for thought:

• Part 1: Where Administration Goes
• Part 2: Restricting Access
• Part 3: Super Simple Authentication

There are also three Railscasts on different authentication techniques:

• RESTful Authentication
• HTTP Basic Authentication
• Authlogic

Answer 3

I think it depends on the type of administration.

If the view your administrators will have of the site is the same as a normal user's, but with additional privileges, I would go with an admin flag. (Or, as your needs expand, a full-fledged roles table.) This is a situation where everybody sees the same stuff, but administrators have access to various actions (delete? edit? ban? etc.) that normal users do not.

If the view your administrators need is wildly different than the normal site, I would recommend a completely separate Rails app that accesses the same database. For example, if your "administrators" are really help desk employees that are going to answer phone calls or deal with billing questions, they may have completely different views of the database (and perhaps ways to edit the data) that aren't available in the regular application.

The disadvantage to having multiple sites is that it is possible to have models (validations, associations, etc.) get out of sync. The disadvantage to having a single site is that you may end up inserting all sorts of ugly "if-admin" code in previously easy-to-understand portions of your site. Which problem is easier to handle depends on your requirements.