Account could have many users and user could have many accounts

[Radovan Šmitala]

Hi, for first, CanTango is really great complex authorization system for Rails! Sadly that it doesn't have more contributors.

Back to my issue.

I have try to implement a permission system (Software as a servise) where account have license permission and could have many users. Every user have role permission.

This is vice-versa than what in on wiki

https://github.com/kristianmandrup/cantango/wiki/Cantango-with-devise-accounts

I try to explain in model situation as CMS system.

ACCOUNT: this is unique service per client

has one license

has many users  (trough)

LICENSE: packages like Small package, medium package, large package

belongs to account

USER: Devise model authentication

has many accounts (trough)

has one role

ROLE: superadmin, admin, subadmin(author or moderator if you can)

belongs to user

----------------

and there is for example piece of CMS system

ARTICLE: cms posts

belongs to category

belongs to account

belongs to user

CATEGORY: inclusion of article

has many articles

belongs to account

belongs to user

-----------

As Superadmin creating Account and first User which have role admin. Account is assign to one of three licenses. This admin get login data and have full permissions on this account (creates articles, categories etc.). Admin can create multiple authors(users) within account. Authors can manage only own articles and categories. (there could be some restrictions, author can create only 5 categories etc.)

Cantango is really great for it! But i don't know how to start implement it. 

Permissions are linear:

license -> role

Can you give me a hint please? Thank you and keep great work!

[Kristian Mandrup]

Hi Radovan,

Well for all the developers out there who like the idea of CanTango, please feel free to contribute. Stanislaw made a huge effort last summer and really helped make it what it is (or was).

I designed the system to be flexible yet take into account the most common scenarios I could imagine or had heard of regarding Users and Accounts.

Your scenario is quite unique so far.

Just have a #roles method on the Account or User that returns a list of roles (fx taking into account the licenses or whatever)

For the Account : has_many -> Users

Hmm.. what do you really want to check on, the permissions of the current account or the current user? I think that it would still be the user

CanTango simply expects the current_user to have have a #current_account method that returns the currently active account for the user. Doesn't matter what the relationship is between User and Account.

The "cantango-permits" gem has been designed in order that you can design your own type of permits, not limited to just User, Account and Role permits. You could use this feature to make your own LicensePermits.

See https://github.com/kristianmandrup/cantango-permits

Look in the README, in the Custom Permit types section 

In the specs, find the custom_permit_spec.rb file. Also look at implementation of existing permit types (such as role permit) - see http://github.com/kristianmandrup/cantango-roles

In your scenario I would have License permits and Role permits. The actual authorization logic, who can do what is just plain and simple cancan rules ;)

Enjoy!

Kristian

[Radovan Šmitala]

Thank you for a reply!

I wanna really to help, but my skills are not so good. I work with Rails and Ruby too short time.

Maybe are Accounts same what you think and i think.

I use Roles for Users. That User has Roles. Used with simple_roles gem.

Accounts doesn't have roles.

I can try to explain my flow more and clearly.

In the system can be many Accounts. Account is for example one access to service. Eg. webhosting for domain, google place, or calendar etc.

This account is unique by name. (e.g. www domain address). Account have any one license (License model)

Mutiple users can manage account (User model have Devise authentication). They have different roles (Role model). Admin for whole account and others what have some restrictions.

And there is a key of associations. I don't want save user_id but account_id in associated model, because there should be multiple users by account. From the session i can get logged user which have defined whom account belongs to.

I think this isn't any special or unique.

I'm little bit messy with this.

Exactly as you wrote. I need only Role and License permission :) Maybe sometimes in future specific by User and Account. But not now.