merbmerb-auth

Merb authentication question


My application has user part and /admin part. There are 2 models Account (like a customer) and Admin, and I should authenticate account and admin separately. Admins should not access account's part and accounts should not access admin area. Is there any solution for me or I should write 2 different applications for users and admins and then wait for merb 1.1 and mount them somehow into 1 app? Any ideas?


Solution

  • your question seems very interesting to me, i`ve had same problems at the beginning. So, i can suggest different solutions from which you can select one depends on your app structure.

    1. If all your users belongs to one class but has special field (like UserClass = (:client, :moderator, :admin, etc.) you`ll have minimum of app modifications, just check the user class parameter in your controllers/views. I think it is not a good idea for you.

    2. Best practice - to use Merb Authentication Strategies. It is very flexible mechanism, so you can select classes you want to work with.

    For example, you`ll have 2 basic strategies: ClientAuth, AdminAuth. Both of them will use different user classes (Client, Admin). All you need - create custom strategy file and then connect it into your router like this:

    authenticate(ClientAuth) do
      match('/profile').to(:controller => ProfileController)
    end
    
    authenticate(AdminAuth) do
      match('/admin').to(:controller => AdminController)
    end
    

    Or, you can use authentication within controller:

    class AdminController
      :before ensure_authenticated, :with => [AdminAuth]
    
      def index
         ... your stuff ...
      end
    end
    

    Also, you even can use only one controller for authentication for both classes using both strategies like this:

    class AdminController
      :before ensure_authenticated, :with => [AdminAuth, ClientAuth]
    end
    

    Just because you have set different authentication classes (Admin, Client) for your strategies you will be able to get information about it: session.user.class (it is a basic ruby method to find out the class name of object)

    Here is some useful links:

    1. http://www.slideshare.net/hassox/merb-auth-presentation
    2. http://merbunity.com/tutorials/19
    3. http://www.slideshare.net/carllerche/merb-pluming-the-router-presentation
    4. http://merbivore.com/documentation/1.0/doc/rdoc/merb-auth-core-1.0/index.html?a=C00000025&name=Strategy