Multi User System -- STI? Roles? Hmmm?

Ok, this is a tricky situation. I have a user system where a user might be an admin, a director, an actor/actress, an extra, or a member At first, STI sounded great, mainly because a member could just browse, a directory and actor/actress has_many movies, and so on. Then I realized that a director could also star in a movie, so, STI wouldn't work because of the overlap.

I'm not sure what to do to build this cleanly, I mean, it'd be easy to use STI so I can have model relationships based on type, but if you can't share the models, what am I to do? Use a hacky implementation of roles?

Thoughts? Suggestions?

Thanks!

STI?   Sexually transmitted infection - Wikipedia   http://wiki.rubyonrails.org/rails/pages/singletableinheritance

why don't you just use a role-based authentication system? that way your users may have many different roles. or do actors have different attributes than directors?

it clearly depends on what your trying to achieve. the better the infos you offer, the better the advice you might get.

MaD wrote:

STI?   Sexually transmitted infection - Wikipedia   http://wiki.rubyonrails.org/rails/pages/singletableinheritance

why don't you just use a role-based authentication system? that way your users may have many different roles. or do actors have different attributes than directors?

it clearly depends on what your trying to achieve. the better the infos you offer, the better the advice you might get.

STDs lol. Simple example, a director can direct movies, a browsing member can not. An actor can star in a movie, a browsing member can not.

well that's more or less a questions of rights. i guess you could easily manage that with a role-based authentication system.

MaD wrote:

well that's more or less a questions of rights. i guess you could easily manage that with a role-based authentication system.

How would you cleanly define a relationship between a user and other models based off a role?

I've used restful_authentication and role_requirement for a similar situation. It's easy to setup, and should allow you to do all the stuff you want. As far as the associations you speak of, you probably to setup some different find methods with_scope. Check out the following links for more info...

http://github.com/timcharper/role_requirement http://github.com/technoweenie/restful-authentication http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M002256

Well it sounds like you just answered your question. You should associate your other models to your user but the limit their access to it with the permissions that are associated to the roles that they have. Take a look at something like role_requirement. A user can have more than one role. IE; One user could be an actor, director, and an extra while another director isn't an actor but is an extra... I hope this makes some sense... It's early for me.

I've run into this situation - recently had a client that stated during the initial development that 'Users can only ever have one role'. So I used STI for all the user types; in addition to permission differences, each role had different associations and sitewide navigation.

THEN, the client says, "Well, some people can be more than one thing"...

I ended up using a hackish solution where users get stored with their role as part of their email; ie a user with multiple roles would have two records in the DB:

- bob+admin@example.com - bob+candidate@example.com

Then the login screen and the user models were tweaked so that bob@example.com has a consistent set of profile details and password hash/salt, and could log in as just bob@example.com.

Finally, I added a role select screen so that, in this example, bob could switch between admin and candidate.

I'm not suggesting that this is the best solution, merely a possible one. It was good for my app because the different user types see totally different navigation structures.

--Matt Jones

Mrkris Mrkris wrote:

Yeah, I love role_requirement, been using it for a while. I guess I'll just stick with it instead of STI.

You might, as an alternative, take a look at Lockdown: http://atlrug.org/stonean/posts/96-Lockdown

I have not tried this yet myself, but what I saw of Lockdown at this months Atlanta Ruby User's Group (ATLRUG). Looked pretty interesting. Maybe it will help.