Topic: Devise, CanCan and roles.
My application is getting large and in need of a serious authorization overhaul. Its a hosted competition management application for multiple sports orgs to manage their team sports comps.
The structure is
sports orgs, super_users
sports, members, admin_users
Additionally, there will be a players table linking members and teams through players.
Currently I rolled my own auth as described in agile web development, super users have access to everything while admin users only have access to everything in their sports org.
There is also a public section with game result reports using skip_before_filter :authorize.
Now I want to allow visitors to register as members, edit their own profile and nominate as a player for a team. The registrations will be approved by an admin user who will also have CRUD access to the users table and can associate them with teams as player or team contact.
A user may also query fees due as a player or as a team contact and pay them with active_merchant and paypal.
Effectively I need at least 5 roles.
1. super users: me
2. admin_users: limited only by sports_org_id
3. team_contacts: users nominated as team contacts (field in teams) who can enter game results and pay game fees.
4. users: registered users as described above with crud access over their own profile.
5. public: able to view public reports without any login. bots welcome.
Can Cancan handle a role structure like this? I assume I will refactor Members to Users for Devise.
The current auth structure restricts access by controller but cancan appears to do it by model. Does this mean that attempts to get a url which interacts with a model will redirect them to the login url if they don't have the correct model access permissions?
If I made a self method in User to get fees owing, can I call that from any controller if the user has access to the users model only? Could they then pay the fee owing?
Last edited by markhorrocks (2011-09-04 07:00:12)