A question about relationships

I understand Martial Arts, and I understand roles.

In martial arts, it is reasonable to hold multiple ranks. For example, within the Shintani association, one can hold the rank of nidan in karate and shodan in shindo at the same time.

I still think roles should be distinct from ranks - sysadmin, for example, is a matter of ownership rather than rank.

Let me ponder for a bit ... I see the shape of a solution but can't quite express it yet.

Am I understanding this product fully?

The product is a set of forums and the supporting mechanisms necessary to make them work.

Every forum has a predictable set of types of roles. For example:

reader poster moderator administrator

In addition, there are roles that fall outside of the forum role structure. For example:

public sysadmin security

The roles are distinct for each forum. the role "moderator shindo" is distinct from "moderator wado kai karate". When a new forum is created, the roles for that forum can also be created as a part of that process.

The assignment to a forum based role is generally governed by rank. There is a process for assigning rank. The role assignment rules can be applied as this process is fired, and as users are registered to the individual forums.

Role assignment rules should be based on data in the database.

Given this, you have the following models:

user forum roletype role rank

The following relationships apply:

user HABTM roles (table roles_users) (and vice versa) user HABTM ranks (table rank_users) or user belongs_to ranks + rank has_many users (I'm partial to user HABTM ranks) forum HABTM roles (table forums_roles) (and vice versa) rank HABTM roles (table ranks_roles) (and vice versa)

Within a forum, each action joins (roles_users for the current user) against (forums_roles for the current forum and action). If there is not an empty set, then the user has authority to perform the action. This role test should be implemented as a boolean method, so it can be reused both for adapting the options on the display and for wrapping the actions to eliminate a security hole.

In the forum create method, the class checks to see if the forum roles exist. If they do not then it creates them.

Sysadmin needs authority on all actions, synce sysadmin is the ultimate authority. This is best implemented in the forum user role test.

This isn't complete, but it should be reasonably close.