Noob looking for an approach to Memberships in Rails

I'm not looking for a complete solution, maybe just a nudge in the right direction? For example, rather than restricting users to certain classes (which seems to be the most common example give for Authorisation/authentication gems) how do I restrict a certain user to a single instance of a class?

Say, for example I have a site for many authenticated/authorised Users:

* These users are employed at different Companies, many of which might have multiple Offices.

* Users employed at one company will never access details of another company or even be aware of their existence.

I was wondering if nested resources or using the database structure was the way to go but I read that more than 2 nesting depths was very bad for site performance...

Are there any gems/open source projects that make it simpler to establish this setup: eg: a single point of entry (on login page for any user) but then redirect them automatically to the Project list in the Company/Office they belong to?

Thanks in advance for any advice you can give.

Which gems are you specifically referring to as being limited in this way? For instance, both CanCan and Aegis allow very complex permissions models to be defined with their DSLs, and I'm pretty sure the other main options do too.

It's only the most simple permissions-to-roles associations approaches that I've seen that by design give all users of the same role the same access to data. But any system that has a "permissions" model should allow you to define rules that are evaluated for each user (so that a user assigned to a company can only see orders for that company, etc).

You asked for a nudge, but I'll push you off the cliff. First find some useful videos here:   Ruby on Rails Screencasts - RailsCasts   Ruby on Rails Screencasts - RailsCasts

Then think about your structure, right now it seems like you have -Companies --Offices


There are always many logical join tables are, employment (linking to a company), and work_location (linking to an office, and therefore a company). Depending on your inevitable goals these many or may not be appropriate.

Now you use one of the authentication and authorization methods to restrict controller access to whatever you want.

I share your pain. The rails community seems to be mostly satisfied with role-based access control. However I needed a process whereby I could do group-membership-based access control. In my project, content (Posts, Uploads, Comments, etc.) needed to be protected on a group basis. After much searching I found a way using the CanCan gem and its “hash of conditions” capability. I described the solution in an answer to my own stack overflow question:

I’ve proven this approach in initial testing. Have yet to push it into scale testing or production, but CanCan seems to be a well-used gem. Hope this helps.