How to implement a permissions system like highrise or facebook

Question

Hey I am looking to implement a permissions system like in highrise or facebook.

The issue with such an problem is that permissions have to defined on a instance of the object(visibility). Off the top of my head i can think of saving user_ids, or group_ids in a hash for every record. Is that the best way to do it?

I am using mongodb so that should make it easier. Although we can switch to sql also (highrise probably does it with sql).

Edit: I ended up writing a gem that works with mongoid, you can read more about it here

Answer 1

@Abhishiv: given this task, I would implement some form of convention for setting access by field.

Given an object like the following:

{
  name : "me",
  user : "me01234",
  salary : "100",
  address : "123 Nowhere drive"
}

I would add permissions by doing something like this:

{
  name : "me",
  user : "me01234",
  salary : "100",
  address : "123 Nowhere drive"
  p_salary : [ 'g/accounting', 'g/management', 'u/owner' ]
  p_address : [ 'g/accounting', 'g/hr', 'u/me' ]
}

With conventions like this, you can maintain document-level access permissions. And it's pretty easy to see how to program such a thing.

Now typically you want access permissions on both the object and the collection itself. This keeps the whole process much more DRY. For such a thing, I would simply build a "permissions" collection that contains default permissions for each other collection in the DB.

Off the top of my head, I don't know of any framework that does this "out of the box". I would look at Mongoid and MongoMapper and see if this type of detail isn't appropriate for a plug-in.

Answer 2

Look into Cancan: https://github.com/ryanb/cancan