Roll my own Role based permission or use CanCan Gem?

124 views
Skip to first unread message

tmueller

unread,
Jan 12, 2012, 12:29:55 PM1/12/12
to Ruby on Rails: Talk
Hello,

I am new to Rails and wanted to ask some of the veterans here what
they recommend for Role based permissions. I am working on an
application that has users and those users can have multiple roles.
Based on a users role various things are available/unavailable for
them to do. This access would be controlled at the controller, view
and model level at various points in the application. I would have a
screen in the admin section where I can view a persons roles, add or
remove roles, etc. Nothing real complicated.


Todd

Dave Aronson

unread,
Jan 12, 2012, 1:35:17 PM1/12/12
to rubyonra...@googlegroups.com
On Thu, Jan 12, 2012 at 12:29, tmueller <todd.c....@gmail.com> wrote:

> I am new to Rails and wanted to ask some of the veterans here what
> they recommend for Role based permissions.

It depends on a number of factors. If this is a "real thing" for
work, or that you intend to put out for public use, definitely just go
with CanCan. (Or possibly one of the alternatives. CanCan does seem
to be the most popular though.)

On the other claw, if you're just playing, do it with CanCan (or,
again, some alternative) the *first* time. That way, you get the idea
how that sort of thing generally works. *After* that, though, it can
be quite a good learning experience to try to duplicate the
functionality yourself. Meanwhile, having learned CanCan can't hurt
either. :-) You could separate the authorization checks into some
wrapper class that would, under the hood, initially call CanCan, but
then you can remove CanCan (kick the CanCan?), and see what you have
to do to make the app work again. I suggest having particularly good
test coverage in that piece, so you know you've got it working right.

-Dave

--
Dave Aronson, President, Dave Aronson Software Engineering and Training
Ruby on Rails Freelancing (Northern Virginia, Washington DC, or Remote)
DaveAronson.com, Codosaur.us, Dare2XL.com, & RecruitingRants.com (NEW!)
Specialization is for insects. (Heinlein) - Have Pun, Will Babble! (me)

tmueller

unread,
Jan 12, 2012, 1:57:07 PM1/12/12
to Ruby on Rails: Talk
Hi Dave,

Thanks for the quick reply. I'll give CanCan a go as from what I've
read it should cover most everything I need for role auth.



Todd

On Jan 12, 10:35 am, Dave Aronson <googlegroups2d...@davearonson.com>
wrote:

djangst

unread,
Jan 12, 2012, 2:00:37 PM1/12/12
to Ruby on Rails: Talk
http://asciicasts.com/episodes/192-authorization-with-cancan

Michael Pavling

unread,
Jan 12, 2012, 3:50:41 PM1/12/12
to rubyonra...@googlegroups.com
On 12 January 2012 17:29, tmueller <todd.c....@gmail.com> wrote:
> I am new to Rails and wanted to ask some of the veterans here what
> they recommend for Role based permissions.

If it's a terribly simple permissions model, you can roll your own
with a small piece of code like this:
http://erniemiller.org/2008/09/30/easy-role-based-authorization/

...I've used tweaked versions of this in the past.

But if you plan any kind of scaling up, it would probably be best to
stick to a tried and tested public gem..

Regards,
Michael

Don

unread,
Jan 13, 2012, 11:47:42 AM1/13/12
to rubyonra...@googlegroups.com
I'm fairly new to the Rails community and recently faced a similar situation.  First from what you describe, CanCan will most certainly provide the functionality you desire.  

Secondly, there is a nice screencast at Railscasts.com that provides a good introduction, however some of processes in the screencast have been updated/modified in more recent versions of the gem, so be sure to go by the github documentation vs. the example in the screencast.  

Thirdly, I would describe the learning curve for the CanCan gem as moderate.  I have a fairly complex use case and my CanCan Abilities class has gotten a little large.  However, I've been amazed that each time I initially thought CanCan was in error, when I worked it through, CanCan was accurate.  Also, I was worried about a performance hit, but so far have not seen anything that indicates CanCan will not scale.

Highly recommended gem from my standpoint.

tmueller

unread,
Jan 13, 2012, 7:08:03 PM1/13/12
to Ruby on Rails: Talk
Hi Don,

Thanks for the write-up on CanCan. I'm currently trying out
declarative_authorization as I want to have the role info be
accessible in my models.

Santosh c

unread,
Jan 14, 2012, 3:20:22 PM1/14/12
to rubyonra...@googlegroups.com
Hi,
my app is ruby based but I am not using rails. Can I still use CanCan?

Don

unread,
Jan 14, 2012, 11:42:59 PM1/14/12
to rubyonra...@googlegroups.com
CanCan is Rails specific - the docs on GitHub clearly state it is for Ruby on Rails.  From my limited experience, CanCan requires Gems that are Rails specific and relies on many aspects of Rail's MVC structure.  I estimate it would be a big job to rework CanCan to be not dependent on Rails plug-ins and work with whatever MVC structure (if any) you have in your app.  It would most likely be easier to roll your own.


Don

unread,
Jan 14, 2012, 11:47:09 PM1/14/12
to rubyonra...@googlegroups.com
Yes, CanCan is very "controller" centric.  Sounds like the declarative_autorization gem allows one to follow the "skinny controllers, fat models" design mantra.  I'll have to check it out.
Reply all
Reply to author
Forward
0 new messages