I'm relatively new to Rails, having written only one app so far. I used Devise for authentication in that app. Now I'm on to my second one, and I have to put more thought into authentication since I have many user types, as opposed to the single user type in my first app.
I've been researching the issues so that when I put the code to the metal (or cloud) I can do so with a clear design in mind.
I found this post most useful so far:
Background
I'm creating an online marketplace in which Customers will order stuff from Providers.
I'm planning to create the following user types:
The following fields are what I've identified as being shared between the three user types above:
Each user type then has different fields (4 - 6 additional fields each).
Customers and Providers will self-register. Employees and Admins will be registered by Providers and Super Admins respectively.
An Employee will be associated with a Provider. I don't foresee an employee being associated with more than one providers.
I also do not foresee the need for a user having multiple roles.
My Plan
After doing some research into the options, I decided on the following:
I will create three different user models:
In my head, these are all really different users who will interact with different sections of the application, so it feels clean. Based on my research, this approach also allows me to fully customise the registration procedure for each user category. For example, I could allow Customers to register with their Facebook account (using OmniAuth), but not extend this option to my Providers. And of course Super Admins won't be :registerable at all. I understand that each user will have separate login pages, which is not an issue for me (it is in fact desirable).
Having different models, especially for Admin also allows me to refactor with ease later, in case I do need to implement additional roles.
The Question
Is the design above as simple as I can make it? No battle plan ever survives contact with the enemy. But I'm hoping Rails is my friend :) So on paper, my plan seems simple to me. Is there anything I'm missing that will make it's implementation more complex than it appears on paper?
Additionally, even though I have devised the above plan (pun intended) I am open to other suggestions. For example, is there any reason I would want to do STI for all models (have a single User model from which all my other models inherit)?
Thanks for reading!
Rails Cast has a pretty solid solution to handle at least some of the complexity introduced by your solution. Bates introduces a roles attribute to the User model that encapsulates which role (or roles) the user has. He couples this with the gem CanCan to dictate which role can perform which actions.
Check this out http://railscasts.com/episodes/192-authorization-with-cancan?view=asciicast
First take a look at how he's setting and getting the roles attribute, and then take a look at how he's coupling that with CanCan.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With