- Explain the use of role-based authorization with Devise
- Design a set of roles to model a forum with different permission levels
- Set up Devise roles to implement such a model
In this lab, we're going to make a simple discussion board.
First we'll have a User
model, which pretty much always shows up when we talk
about Devise. There will be three possible roles: user, vip, and admin.
We'll also have a Post
model.
User
s can read anyone'sPost
s, and create, read, update, and delete their ownPost
s.- VIPs can do everything a
User
can do, and update other users'Post
s. - Admins can do anything that
User
s and VIPs can do, and they can delete other users'Post
s.
Provided is a Rails skeleton with the Devise gem installed.
- Run the migrations. A basic
User
model and its migrations have been set up for you as part of the devise install. We'll want to get the roles working. - Take a look at the
User
model and theUser
spec - Run
rspec spec/models/user_spec.rb
- Add roles to the
User
model to get theUser
model specs working - Note: Running
rspec spec/models/post_spec.rb
will fail because we haven't created those model or tables yet. - Now that our
User
model is valid and has roles, let's get its controller working. Run its spec (and it will fail!) withrspec ./spec/controllers/users_controller_spec.rb
- Use the failing specs to help you update the
UsersController.
You'll want to use authentication and authorization filters to help accomplish this goal. Ensure that only administrators can update or destroy users - Run
rails generate devise:views
to generate the views - Be sure to add the ERB code to display the
flash
inapp/views/layouts/application.html.erb
Once you've reached this point, all the User
specs should be passing. For the
next part, we'll create a Post
model, which has different permissions for
different User
roles.
We've written one basic Post
spec for you, but you will need to write
additional specs for the Post
model and controller. You can reference the
feature and model specs for the Users
controller to see how to write these.
- Create a
Post
model and migration.Post
s have an owner and content - Create the
Post
s controller. Ensure that it enforces the following requirements:
Post
s can be created by any user- Anyone can read any
Post
User
s can edit or deletePost
s they own- VIPs can edit anyone's
Post
s - Admins can do anything to any
Post
- Write views for your
Post
s - Try it out!