I'm contemplating using RefineryCMS for a large web application which will include newsletters, blogs, forums, tutorials etc. Creating those things I know RefineryCMS would be great at.
My question is can RefineryCMS deal with different types of users with different types of access/permissions?
If I have a user which is a 'member' I would like to give them the ability to access the blog and forum, but if I have a 'premium' user they should have access to read newsletters, blogs, forums and tutorials. The 'admin' user should be able to manage and see everything in the site.
Is this type of fine grained control out of RefineryCMS's scope and should I be considering just creating this site from scratch?
Yes, you can add fine grain control by adding a before_filter to the appropriate refinerycms controllers. In that before_filter you could use CanCan, but refinerycms already has a roles table that you can easily leverage for this.
Here's one way to control access to the blog, for example.
Using the console or other interface of your choice, add a new Role with title="member".
Add another with title="premium_user"
Then (if your authentication model is called User), in the console
>member1 = User.find(1)
>member1.roles << Role.where(:title=>"member").first
>member1.save
Similarly, you would add the "premium_user" role to the right users.
Create MyApp/lib/restrict_blog_to_member_role.rb
module RestrictBlogToMemberRole
def restrict_blog_to_member_role
return true unless !(current_user.try(:has_role? "member")
flash[:notice]="Please become a member with us before accessing the blog."
redirect_to home_path #or some other destination path that exists
return false
end
end
In MyApp/config/application.rb, set up the before_filter so it will reload on each call in development mode, in case you change it with the server running....
module MyApp
class Application < Rails::Application
....
config.before_initialize do
require 'restrict_blog_to_member_role'
end
config.to_prepare do
BlogController.send :include, RestrictBlogToMemberRole
BlogController.send :before_filter, :restrict_blog_to_member_role
end
....
end
end
You can do the same with other refinery controllers like PagesController, Admin::BaseController, Admin::RefinerySettingsController, Admin::Blog::PostsController, etc., and add methods dealing with other roles like "premium_user", depending on what authorization rules you want to implement.
Alternatively, you can override the refinery controllers directly in your app/controllers folder using
rake refinery:override controller=blog_controller #for example.
Then you can incorporate calls to something like CanCan, or add the before filters above directly. If you override, it is a little harder to upgrade refinerycms when it changes, because you have the extra step of re-overriding and re-merging your code with the latest version of the controller, when it changes.
Re: "admin" user, refinerycms is already going to leverage a role with title="Superuser" and require that at least 1 User has that role. It comes pre-configured with some authorization logic for what Superuser can do that those without that role cannot.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With