Separate actors and create different roles

Allow different roles and permissions (e.g. normal users vs. admins) in your app by separating actors with namespacing and actor specific controllers.

1. Add an admin field in your users table which takes a boolean value.

   # schema.rb
   
     create_table "users", force: true do |t|
       t.string   "email"
       t.string   "password_digest"
       t.string   "full_name"
       t.datetime "created_at"
       t.datetime "updated_at"
       t.boolean  "admin"
     end
   

2. Create a namespace in your routes

   • This allows us to specify how the actor "admin" can interact and have access to the resource "posts". In this case see and delete "posts".
     
   • For different actors we create different namespaces, i.e. adding another actor, such as a "superadmin" requires a new namespace.
   • You now have new routes, such as admin_posts_path linking to the controller action admin/posts#index. The corresponding URL will read domain.com/admin/posts.
     
     

   # routes.rb
   
   namespace :admin do
     resources :posts, only: [:index, :destroy]
   end
   
   namespace :superadmin do
     resources :users, only: [:index, :create, :destroy]
   end
   

3. Create the actor specific admin controller

   # controllers/admin/posts_controller.rb
   
   class Admin::PostsController < ApplicationController
     def index
       @posts = Post.all
     end
   
     def destroy
     end
   end
   

4. Nest your views under the same folder structure

   • views/admin/posts/index.html.erb

5. Secure access by restricting admin urls to admin users

   before_action :ensure_admin
   
   def ensure_admin
     flash[:error] = "You do not have permission to access this area."
     redirect_to root_path unless current_user.admin?
   end
   

Structure your controllers with inheritance to account for different roles

# controllers/posts_controller.rb

class PostsController < AuthenticatedController
  # standard controller actions
  # ...
end

# controllers/authenticated_controller.rb

class AuthenticatedController < ApplicationController
  before_action :ensure_sign_in 
  # :ensure_sign_in is set as a helper method in the ApplicationController
end

# contollers/admins_controller.rb

class AdminsController < AuthenticatedController
  before_action :ensure_admin

  def ensure_admin
    flash[:error] = "You do not have permission to access this area."
    redirect_to root_path unless current_user.admin?
  end
end

# controllers/admin/posts_controller.rb

class Admin::PostsController < AdminsController
  def index
   @posts = Post.all
  end
end

A SuperAdminController would inherit from AdminsController, because a "SuperAdmin" also has to be "Admin".

Keep in mind that your login doesn't redirect to the normal views, but checks for admin status and redirects to the corresponding view.