Ruby on Rails Authentication & Access Control

Hi Forum,

I hope someone can help me.

I have a client who has asked me to develop a project status tracking application using Ruby on Rails which will enable various business partners to view the status of various projects that are currently in progress.

Each business partner will have projects which they can view the status. There will be projects which some business partners cannot view the status.

Would someone please direct me to a plug-in or tutorial or book which will enable me to setup this scenario in Ruby on Rails.

I suppose what I'm really looking for is a facility to not only perform Authentication (i.e., registration, login, logout, etc.) but also Access Control to projects in this case (e.g., User A can view Projects A, B & C, but not Projects D, E & F, in fact, User A doesn't even know that Projects D, E & F exist).

I hope someone can provide direction.

Thanks in advance.

Kind Regards


Have a look at:

And particularly post #5, where the author explains about different "areas" of the application, selecting by the user role.

Regards, Rey9999

i would probably start with good old faithful restful_authentication plugin. This wil give you your basic login/registration pattern Next, I add acl_system2 plugin, which allows me to lock down certain sections of the website programmatically by adding roles to users. Very easy.

Next I would create my models controllers and views for the Projects Next I would use a polymorphic has_many :through association to "attach" projects to users. By using polymorphism you allow the flexibillity to create other types of assets that users might be restricted in viewing Finally i would create a helper method within the User model that allowed me to check whether a project is viewable by a specific user e.g. current_user.allowed?(project)

e.g. user table id | login | hashed_password | email

roles table id | title

roles_users table user_id | role_id

projects table id | name | description | created_at | updated_at

assetables table (this is your polymorphic association table, where you assign projects to your users) id | user_id | assetable_id | assetable_type

I always get confused with the polymorphic association syntax. If you're stuck, get hold of acts_as_taggable_on_steroids and copy the way they do it, or, just drop back to a has_and_belongs_to_many association until you really need to use polymorphism.

BTW I find make_resourceful invaluable when dealing with polymorphic resources, and, in fact all RESTful controllers. You might like to take a look too Take a look inside the actions.rb file to see what it's doing under the hood.

Good luck


or.. you could do it all yourself, like the post that just beat me! :wink:

Or sign up for a corporate Basecamp account, spend some time setting up the users and project data, then spend the summer working on all those projects.

Rey9999, Wildtangent & Cynthia.

Thank you for your responses. You've given me a lot of information to review and consider.