Good evening, there's a question, I can't really answer for myself. Let's assume, I've got a rails application for selling cars. A user can create an advertisement by choosing the corresponding model from a table "car_models" and then add additional information. The user should always be able just to _read_ the "car_models" table, not to change it. On the other hand, there's an assistant who administers the "car_models" table, adding, changing and removing entries.
So, where we are? We have our "CarModel" controller with its CRUD methods. And, let's assume, we have a roled based access control implemented. A normal user is a group member of "STD_USER", for example. So he may only access the "get" oder "read" methods, whatever. The assistant however is member of the group "STD_ADMIN", for example, and has access to all methods of our "CarModel" controller. Although this looks secure, I must confess, that I am concerned. What if the RBAC fails for some reasen? What if a normal user gets accidentally in the admin group? Wouldn't it be better to separate those functionalities? Let's say: one administration application and one great wide world application. I'm not convinced myself. How do you handle this? I would be very happy about suggestions. Thank you very much! ms --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
