I'm not looking for a complete solution, maybe just a nudge in the right
direction? For example, rather than restricting users to certain classes
(which seems to be the most common example give for
Authorisation/authentication gems) how do I restrict a certain
user to a single instance of a class?
Say, for example I have a site for many authenticated/authorised Users:
* These users are employed at different Companies, many of which might
have
multiple Offices.
* Users employed at one company will never access details of another
company or even be aware of their existence.
I was wondering if nested resources or using the database structure was
the
way to go but I read that more than 2 nesting depths was very bad for
site performance...
Are there any gems/open source projects that make it simpler to
establish
this setup: eg: a single point of entry (on login page for any user) but
then redirect them automatically to the Project list in the
Company/Office they belong to?
Which gems are you specifically referring to as being limited in this
way? For instance, both CanCan and Aegis allow very complex
permissions models to be defined with their DSLs, and I'm pretty sure
the other main options do too.
It's only the most simple permissions-to-roles associations approaches
that I've seen that by design give all users of the same role the same
access to data. But any system that has a "permissions" model should
allow you to define rules that are evaluated for each user (so that a
user assigned to a company can only see orders for that company, etc).
Then think about your structure, right now it seems like you have
-Companies
--Offices
-Users
There are always many logical join tables are, employment (linking to
a company), and work_location (linking to an office, and therefore a
company). Depending on your inevitable goals these many or may not be
appropriate.
Now you use one of the authentication and authorization methods to
restrict controller access to whatever you want.
I share your pain. The rails community seems to be mostly satisfied with role-based access control. However I needed a process whereby I could do group-membership-based access control. In my project, content (Posts, Uploads, Comments, etc.) needed to be protected on a group basis. After much searching I found a way using the CanCan gem and its “hash of conditions” capability. I described the solution in an answer to my own stack overflow question: http://stackoverflow.com/questions/8370654/what-are-the-options-for-group-membership-based-access-control-in-rails
I’ve proven this approach in initial testing. Have yet to push it into scale testing or production, but CanCan seems to be a well-used gem. Hope this helps.