Can I use RefineryCMS with Cancan or similar?

Question

I'm contemplating using RefineryCMS for a large web application which will include newsletters, blogs, forums, tutorials etc. Creating those things I know RefineryCMS would be great at.

My question is can RefineryCMS deal with different types of users with different types of access/permissions?

If I have a user which is a 'member' I would like to give them the ability to access the blog and forum, but if I have a 'premium' user they should have access to read newsletters, blogs, forums and tutorials. The 'admin' user should be able to manage and see everything in the site.

Is this type of fine grained control out of RefineryCMS's scope and should I be considering just creating this site from scratch?

Answer 1

Yes, you can add fine grain control by adding a before_filter to the appropriate refinerycms controllers. In that before_filter you could use CanCan, but refinerycms already has a roles table that you can easily leverage for this.

Here's one way to control access to the blog, for example.

Using the console or other interface of your choice, add a new Role with title="member".

Add another with title="premium_user"

Then (if your authentication model is called User), in the console

>member1 = User.find(1)
>member1.roles << Role.where(:title=>"member").first
>member1.save

Similarly, you would add the "premium_user" role to the right users.

Create MyApp/lib/restrict_blog_to_member_role.rb

module RestrictBlogToMemberRole
  def restrict_blog_to_member_role
    return true unless !(current_user.try(:has_role? "member")
    flash[:notice]="Please become a member with us before accessing the blog."
    redirect_to home_path #or some other destination path that exists
    return false
  end
end

In MyApp/config/application.rb, set up the before_filter so it will reload on each call in development mode, in case you change it with the server running....

module MyApp
  class Application < Rails::Application
    ....
    config.before_initialize do
      require 'restrict_blog_to_member_role'
    end
    config.to_prepare do
      BlogController.send :include, RestrictBlogToMemberRole
      BlogController.send :before_filter, :restrict_blog_to_member_role
    end
    ....
  end
end

You can do the same with other refinery controllers like PagesController, Admin::BaseController, Admin::RefinerySettingsController, Admin::Blog::PostsController, etc., and add methods dealing with other roles like "premium_user", depending on what authorization rules you want to implement.

Alternatively, you can override the refinery controllers directly in your app/controllers folder using

rake refinery:override controller=blog_controller #for example.

Then you can incorporate calls to something like CanCan, or add the before filters above directly. If you override, it is a little harder to upgrade refinerycms when it changes, because you have the extra step of re-overriding and re-merging your code with the latest version of the controller, when it changes.

Re: "admin" user, refinerycms is already going to leverage a role with title="Superuser" and require that at least 1 User has that role. It comes pre-configured with some authorization logic for what Superuser can do that those without that role cannot.