Am I understanding this product fully?
The product is a set of forums and the supporting mechanisms necessary
to make them work.
Every forum has a predictable set of types of roles. For example:
In addition, there are roles that fall outside of the forum role
structure. For example:
The roles are distinct for each forum. the role "moderator shindo" is
distinct from "moderator wado kai karate". When a new forum is
created, the roles for that forum can also be created as a part of that
The assignment to a forum based role is generally governed by rank.
There is a process for assigning rank. The role assignment rules can
be applied as this process is fired, and as users are registered to the
Role assignment rules should be based on data in the database.
Given this, you have the following models:
The following relationships apply:
user HABTM roles (table roles_users) (and vice versa)
user HABTM ranks (table rank_users) or user belongs_to ranks + rank
has_many users (I'm partial to user HABTM ranks)
forum HABTM roles (table forums_roles) (and vice versa)
rank HABTM roles (table ranks_roles) (and vice versa)
Within a forum, each action joins (roles_users for the current user)
against (forums_roles for the current forum and action). If there is
not an empty set, then the user has authority to perform the action.
This role test should be implemented as a boolean method, so it can be
reused both for adapting the options on the display and for wrapping
the actions to eliminate a security hole.
In the forum create method, the class checks to see if the forum roles
exist. If they do not then it creates them.
Sysadmin needs authority on all actions, synce sysadmin is the ultimate
authority. This is best implemented in the forum user role test.
This isn't complete, but it should be reasonably close.