User vs. Administrator best practices

Alan <rails-mailing-list@...> writes:

I know that both are possible solutions but they both sound pretty scary
to me WRT security... am I just too worried? or are there better
commonly used methods?

As mentioned, there is little (if any) difference WRT security.

However, when you have a choice of ways to do things, it's usually best to take
the one which most closely represents your application.

For example, if your admins are users with extra privileges, then one idea would
be to have a users table and a roles table, with a has_many :through
relationship:

  class User # id
    has_many :privileges
    has_many :roles, :through => :privileges
  end
  
  class Privilege # id, user_id, role_id
    has_one :user
    has_one :role
  
    validates_uniqueness_of :user,
      :scope => :role,
      :message => "already has this role"
  end
  
  class Role # id
    has_many :privileges
    has_many :users, :through => :privileges
  end

  # ...
  @role = Role.find_by_name("Admin")
  Privilege.new(:user => @user, :role => @role)
  # ...

If the logins are completely separate then use 2 tables and have separate login
pages. In any case, a boolean field in your users table probably doesn't
represent what you're trying to do, and definitely isn't extendable if you want
to add more levels of user later on. However, it's definitely easier to deal
with and quicker to code, so it depends on how much you need this and how long
you have.