Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Opinions on ruby on rails admin page implementation

Whats the general consensus with implementing an admin interface behind a web app? Please note, I'm not looking for an admin generator similar to Merb, RailsAdmin, Typus or other.

I'd like to know the following:

  1. Is it necessary? If not, how else would admins administer the app? Via Rails console? Via database?
  2. Should the url look like: http://localhost/admin or http://admin.localhost/ or other?
  3. Should the namespace be admin or admins?
  4. How do large apps like Github, Facebook, or even Stackoverflow implement their admin interface?
  5. Does having an admin interface accessible via the web app entail a security hazard of any sort?
like image 335
Christian Fazzini Avatar asked Nov 06 '22 00:11

Christian Fazzini


1 Answers

1) It is not necessary, however it is nice to have an interface to manage your data. This way you could have multiple admins, in which non of them actually have to touch the database/code via the console(for ease of use, security etc).

2) It's completely up to you, however localhost/admin may reduce the amount of complications with subdomains.

3) The namespace is generally admin, however once again... it is up to you. You could try to make it obscure, however please note: Obscurity is not a form of security.

4) Large applications/companies most certainly implement an admin interface for many reasons, one as I stated in 1). You can provide functionality to trusted people within your organization that don't necessarily have the technical skills to open up a console. This reduces the amount of messups(typos etc) and increase the amount of usability.

5) Having an admin interface that is public is inherently a potential security hazard. You could implement many techniques to help lower this hazard such as putting the admin section of the site behind a firewall/private intranet in which you can only access via VPN or when you are 'in the office' (ontop of the obvious techniques such as user authentication). Another solution if you can't put it behind a firewall/intranet is to limit the access to a whitelist of ip addresses.

like image 64
Mike Lewis Avatar answered Nov 12 '22 16:11

Mike Lewis