Alan <rails-mailing-list@...> writes:
I know that both are possible solutions but they both sound pretty scary to me WRT security... am I just too worried? or are there better commonly used methods?
As mentioned, there is little (if any) difference WRT security.
However, when you have a choice of ways to do things, it's usually best to take the one which most closely represents your application.
For example, if your admins are users with extra privileges, then one idea would be to have a users table and a roles table, with a has_many :through relationship:
class User # id has_many :privileges has_many :roles, :through => :privileges end class Privilege # id, user_id, role_id has_one :user has_one :role validates_uniqueness_of :user, :scope => :role, :message => "already has this role" end class Role # id has_many :privileges has_many :users, :through => :privileges end
# ... @role = Role.find_by_name("Admin") Privilege.new(:user => @user, :role => @role) # ...
If the logins are completely separate then use 2 tables and have separate login pages. In any case, a boolean field in your users table probably doesn't represent what you're trying to do, and definitely isn't extendable if you want to add more levels of user later on. However, it's definitely easier to deal with and quicker to code, so it depends on how much you need this and how long you have.