Help with object level roles & permissions

I have an authentication system set up via the activefx tutorial for
restful_authentication. I now need to implement roles and permissions on
a per object basis, as opposed to site wide, 'Is this user an
administrator?', permissions.

There are two types of objects, Groups and Channels, and they each have
one Admin, many Notables, and many Members. I'm presuming it could be
bad to mix my site wide roles/permissions in with the Group & Channel
roles/permissions, although it could potentially keep things tidier if
my Roles table simply has Administrator, Notable, Member (for Site,
Group, Channel objects) and then the Permissions table handles what has
been assigned to Site, Groups or Channels. In fact, I've just been
testing this approach via a polymorphic association in the Permissions
table so that the Groups and Channels are Permissionable (the
Permissions table has role_id, user_id, permissionable_id,
permissionable_type). However, calling a has_many through on the
permissionable polymorphic association seems to be causing problems (I
just keep getting an error message from AR telling me I cannot have a
has_many :through association on the polymorphic object).

Firstly, do I need to avoid mixing site permissions in with object
permissions? If so, do I differentiate between the two, maybe by keeping
site permissions in the Permissions table, and keeping object
permissions in a new Memberships table (this is a naming convention that
I'd be happy with). Secondly, is it going to be possible to use a
Permissionable polymorphic assocation on the object permissions, or do I
just want to create separate group_permissions and channel_permissions
tables to avoid any issues with a has_many through on the polymorphic
association?

I would separate it... keep the roles and permission you have with
activefx's tutorial. Then your

group or channel
has_one :administrator, <necessary options here>
has_many :notables, <necessary options here>
has_many :members, :through => :memberships, <other necessary options here>
has_many :memberships

Maybe even the membership model can contain what capacity the user is
in the group? This just popped into my head now.. not too sure if
this would work. Sounds okay though.

Ramon Tayag wrote:

I would separate it... keep the roles and permission you have with
activefx's tutorial. Then your

group or channel
has_one :administrator, <necessary options here>
has_many :notables, <necessary options here>
has_many :members, :through => :memberships, <other necessary options
>
has_many :memberships

Maybe even the membership model can contain what capacity the user is
in the group? This just popped into my head now.. not too sure if
this would work. Sounds okay though.

my Roles table simply has Administrator, Notable, Member (for Site,
Firstly, do I need to avoid mixing site permissions in with object

>

--
Ramon Tayag

Thanks, Ramon. This is quite an old post - I've been happily working
along with permissions for a while now. In fact, right now, I'm
integrating per-permission notifications options, whereby a user can
specify which activities they want to be notified about (email) on a
per-group basis.

If you're interested, I posted a question about notifications &
named_scopes, in Railsforum a couple of minutes ago. I've since found a
solution for the first question, but, I know there's room for
improvement;

http://railsforum.com/viewtopic.php?id=22509

Also, my friend Ryan, from ThinkRefresh.com, made a screencast about
polymorphic permissions after I posed the same question to him;

http://thinkrefresh.com/posts/7/polymorphic-permissions

Maybe that'll help anyone else who comes across this post...