Design of Rails app with multiple user types using Devise and STI

Question

I'm relatively new to Rails, having written only one app so far. I used Devise for authentication in that app. Now I'm on to my second one, and I have to put more thought into authentication since I have many user types, as opposed to the single user type in my first app.

I've been researching the issues so that when I put the code to the metal (or cloud) I can do so with a clear design in mind.

I found this post most useful so far:

• devise and multiple "user" models

Background

I'm creating an online marketplace in which Customers will order stuff from Providers.

I'm planning to create the following user types:

• Customer: accesses the marketplace and orders stuff
• Provider: creates stuff in the marketplace and processes orders
• Employee: works for a provider
• Super Admin: manages the site
• Admin: manages portions of the site delegated by Super Admin

The following fields are what I've identified as being shared between the three user types above:

• Email address (used as login ID)
• Mobile number

Each user type then has different fields (4 - 6 additional fields each).

Customers and Providers will self-register. Employees and Admins will be registered by Providers and Super Admins respectively.

An Employee will be associated with a Provider. I don't foresee an employee being associated with more than one providers.

I also do not foresee the need for a user having multiple roles.

My Plan

After doing some research into the options, I decided on the following:

I will create three different user models:

• Customer
• Provider
• Super Admin

In my head, these are all really different users who will interact with different sections of the application, so it feels clean. Based on my research, this approach also allows me to fully customise the registration procedure for each user category. For example, I could allow Customers to register with their Facebook account (using OmniAuth), but not extend this option to my Providers. And of course Super Admins won't be :registerable at all. I understand that each user will have separate login pages, which is not an issue for me (it is in fact desirable).

Having different models, especially for Admin also allows me to refactor with ease later, in case I do need to implement additional roles.

The Question

Is the design above as simple as I can make it? No battle plan ever survives contact with the enemy. But I'm hoping Rails is my friend :) So on paper, my plan seems simple to me. Is there anything I'm missing that will make it's implementation more complex than it appears on paper?

Additionally, even though I have devised the above plan (pun intended) I am open to other suggestions. For example, is there any reason I would want to do STI for all models (have a single User model from which all my other models inherit)?

Thanks for reading!

Answer 1

Rails Cast has a pretty solid solution to handle at least some of the complexity introduced by your solution. Bates introduces a roles attribute to the User model that encapsulates which role (or roles) the user has. He couples this with the gem CanCan to dictate which role can perform which actions.

Check this out http://railscasts.com/episodes/192-authorization-with-cancan?view=asciicast

First take a look at how he's setting and getting the roles attribute, and then take a look at how he's coupling that with CanCan.