Well it all in relations. CarModel controller - has in info. has_many :advertisments
All controller actions regarding this model, is garded by if the user is adminnistrator. hence in your user model, you put an bool called "admin". So all actions in the controller if garded with if @user.admin For the advertisment you have: And a belongs_to :carmodel id Carmodel_id -----lots of extra info. Regards svend On Jan 29, 11:18 pm, ms <m...@tzi.de> wrote: > Good evening, > > there's a question, I can't really answer for myself. Let's assume, > I've got a rails application for selling cars. A user can create an > advertisement by choosing the corresponding model from a table > "car_models" and then add additional information. The user should > always be able just to _read_ the "car_models" table, not to change > it. On the other hand, there's an assistant who administers the > "car_models" table, adding, changing and removing entries. > > So, where we are? We have our "CarModel" controller with its CRUD > methods. And, let's assume, we have a roled based access control > implemented. A normal user is a group member of "STD_USER", for > example. So he may only access the "get" oder "read" methods, > whatever. The assistant however is member of the group "STD_ADMIN", > for example, and has access to all methods of our "CarModel" > controller. > > Although this looks secure, I must confess, that I am concerned. What > if the RBAC fails for some reasen? What if a normal user gets > accidentally in the admin group? > > Wouldn't it be better to separate those functionalities? Let's say: > one administration application and one great wide world application. > I'm not convinced myself. How do you handle this? > > I would be very happy about suggestions. > > Thank you very much! > ms --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---