Alan <rails-mailing-list@...> writes:
I know that both are possible solutions but they both sound pretty scary
to me WRT security... am I just too worried? or are there better
commonly used methods?
As mentioned, there is little (if any) difference WRT security.
However, when you have a choice of ways to do things, it's usually best to take
the one which most closely represents your application.
For example, if your admins are users with extra privileges, then one idea would
be to have a users table and a roles table, with a has_many :through
class User # id
has_many :roles, :through => :privileges
class Privilege # id, user_id, role_id
:scope => :role,
:message => "already has this role"
class Role # id
has_many :users, :through => :privileges
@role = Role.find_by_name("Admin")
Privilege.new(:user => @user, :role => @role)
If the logins are completely separate then use 2 tables and have separate login
pages. In any case, a boolean field in your users table probably doesn't
represent what you're trying to do, and definitely isn't extendable if you want
to add more levels of user later on. However, it's definitely easier to deal
with and quicker to code, so it depends on how much you need this and how long