-
Notifications
You must be signed in to change notification settings - Fork 3
Authorization
We are using CanCan to manage authorization in our management websites. Our public websites allow anonymous access. In this page we will go into details into the way we are using CanCan.
Our specifications define two type of users:
- Managers: can manage all the data in the application, including Trade data;
and
- Contributors: Can view, edit and add data to taxon concepts and associated pages. Contributors can not manage what is identified as Core Data (e.g.: Taxonomies, Ranks, Species Listings, etc), nor can they change data in bulk. They can not visit the Trade Database management page.
As we only have two roles and each user can only have one of those roles, we decided to use only a boolean attribute in the User model. This attribute is named is_manager and it defaults to false for newly created users.
We define the authorization rules in CanCan's ability file: app/models/ability.rb
can :manage, :all
For Contributors we first grant access to the read, update, and create actions on all objects, leaving out the destroy action and thus preventing them from deleting any type of data:
can :read, :all
can :update, :all
can :create, :all
We then specify some exceptions to these rules.
Contributors can only update their own accounts.
cannot :update, User do |u|
u.id != user.id
end
Contributors cannot manage Core Data, and do bulk updates (eg: admin_quotas_path, admin_eu_regulations_path)
cannot :manage, [
Taxonomy, Rank, Designation,
Instrument, SpeciesListing,
ChangeType, EuDecisionType,
Language, GeoEntity, GeoEntityType,
TradeCode, Trade::TaxonConceptTermPair,
TermTradeCodesPair, Event, CitesSuspension,
Quota, EuRegulation, EuSuspensionRegulation,
Trade::Shipment, Trade::Permit, Trade::AnnualReportUpload,
Trade::ValidationRule
]