inicio mail me! sindicaci;ón


working with Rails 2.0, Ruby on Rails, Flex, Flash and …

Adding a Role Filter

April 22, 2008 at 11:55
A role might be a user with additional functionality, like a user who has administrator rights. He can see pages a normal user cannot see or have additional navigation elements.

It’s very simple to use roles, add to your user model an additional field/column naming it role(t.string :role), then open your application.rb and add the following method:

Code (ruby)
  1. def is_admin?
  2.   unless User.find_by_id(session[:user_id]) and User.find_by_id(session[:user_id]).role == "admin"
  3.     redirect_to(:controller => "/user", :action => "index")
  4.   end
  5. end

What’s happening here: If the user has it’s user_id in the session and the user’s role is “admin” the method will return true, if not the user will be redirected to another page. Having this prepared open a controller you would like to restrict access to and add the following line at the top of the controller before the very first method:

Code (ruby)
  1. before_filter :is_admin?

I have combined the roles with my user authentication, when somebody tries to call the admin_area method (line 7), the controller will first call the login method(line 1), when the user is logged in it will call the is_admin? method, if that is also true the user will be allowed to call the admin_area method and see the page. If the user has no admin rights he will only be able to call the settings and profilemethod, but nothing more(line 2) (these methods are not admin restricted, see the :except) .

Code (ruby)
  1. before_filter :login
  2. before_filter :is_admin, :except => [:profile,:settings]
  3. def profile
  4. end
  5. def settings
  6. end
  7. def admin_area
  8. end

Sometimes you want to hide parts of your navigation from the normal user and only make it viewable for admin users. You could use a helper method globally in the application_helper.rb and then add some line of code in the layout. The method is a bit longer to understand it’s purpose.

Code (ruby)
  1. def is_admin?
  2. user = User.find_by_id(session[:user_id])
  3.   if user.role == "admin"
  4.     return true
  5.   else
  6.     return false
  7.   end
  8. end

Now you can use the method in any of your view files. My favorite is to have a layout.rhtml file for the basic structure of the page and a partial for the user navigation like _user.rhtml - In this partial there are a few lines I want to hide from the common user and I can do that now:

Code (ruby)
  1. <% if is_admin? %>
  2.   <p>This user is an Admin</p>
  3. <% end %>

In the _user.rhtml the is_admin? method will be called (line 1), if the user is an admin the text in line 2 will be rendered.
An important hint, don’t forget to secure the role variable, so that it can only be changed directly by a secure method or by yourself. You just need to open the user model file (user.rb) and add attr_protected :role at the top.

If you have any questions don’t hesitate to leave a comment!

No comments yet »

Your comment

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>