Yeah, it's better to separate them, but you're still going to be in the same boat as before, really: it's going to be down to whatever qualifier you decide to split the access levels on.
Sent from my iPhone On 30/01/2009, at 9:18 AM, ms <[email protected]> wrote: > > Good evening, > > there's a question, I can't really answer for myself. Let's assume, > I've got a rails application for selling cars. A user can create an > advertisement by choosing the corresponding model from a table > "car_models" and then add additional information. The user should > always be able just to _read_ the "car_models" table, not to change > it. On the other hand, there's an assistant who administers the > "car_models" table, adding, changing and removing entries. > > So, where we are? We have our "CarModel" controller with its CRUD > methods. And, let's assume, we have a roled based access control > implemented. A normal user is a group member of "STD_USER", for > example. So he may only access the "get" oder "read" methods, > whatever. The assistant however is member of the group "STD_ADMIN", > for example, and has access to all methods of our "CarModel" > controller. > > Although this looks secure, I must confess, that I am concerned. What > if the RBAC fails for some reasen? What if a normal user gets > accidentally in the admin group? > > Wouldn't it be better to separate those functionalities? Let's say: > one administration application and one great wide world application. > I'm not convinced myself. How do you handle this? > > I would be very happy about suggestions. > > Thank you very much! > ms > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
