Implementing Role-Based Authorization in Rails

Introduction

This tutorial aims to guide you through the process of implementing role-based authorization in Rails. Role-based authorization is a method that restricts access to different parts of your web application based on the role assigned to a user.

By the end of this tutorial, you will learn how to:

• Design and implement user roles
• Control access based on user roles
• Implement role-based restrictions in your Rails controllers and views

Prerequisites: You should have a basic understanding of Ruby on Rails and have Rails installed on your local machine.

Step-by-Step Guide

Designing User Roles

First, we need to design our user roles. For simplicity, let's assume we have two roles: admin and user. We will add a role column to our users table.

rails g migration AddRoleToUsers role:string
rails db:migrate

Implementing Role-Based Restrictions

Now, we need to add some helper methods in our User model to easily check the role of a user.

class User < ApplicationRecord
  def admin?
    role == 'admin'
  end

  def user?
    role == 'user'
  end
end

These methods will return true if the user's role matches the method name.

Code Examples

Let's now implement role-based restrictions in our controllers.

class PostsController < ApplicationController
  before_action :authorize_admin, only: [:edit, :update, :destroy]

  # ...

  private

  def authorize_admin
    redirect_to(root_path) unless current_user.admin?
  end
end

Here, we are using a before_action to run the authorize_admin method before the edit, update, and destroy actions. If the current user is not an admin, they will be redirected to the root path.

Similarly, we can use these helper methods in our views to display content based on the user role.

<% if current_user.admin? %>
  <%= link_to 'Edit', edit_post_path(@post) %>
<% end %>

In this snippet, the 'Edit' link will only be displayed if the current user is an admin.

Summary

In this tutorial, you learned how to:

• Add a role column to the users table
• Create helper methods in the User model to check the user's role
• Implement role-based restrictions in your controllers and views

To further your knowledge, you should try to implement more complex role-based authorization systems with more user roles and more complex authorization rules.

Here are some resources for further reading:

• Rails Authorization Guide
• Pundit gem

Practice Exercises

1. Add a new role guest to your application. Make it so that guests cannot create, edit, or delete posts.
2. Restrict access to a secret page to only admins.

Solutions:

1. Add def guest?; role == 'guest'; end in the User model. Use before_action :authorize_user, only: [:new, :create, :edit, :update, :destroy] in the PostsController.
2. Create a SecretsController with a show action. Use before_action :authorize_admin, only: [:show] to restrict access to admins.

Remember to practice regularly to become more proficient in Rails and role-based authorization.