I have a user model and lots of other models in my project, to create a RBAC system I implemented role and permission. User has_and_belongs_to_many roles and Role has_and_belongs_to_many permissions.
class Permission
include Mongoid::Document
field :ability, type: String
has_and_belongs_to_many :roles
belongs_to :permission_for, polymorphic: true, dependent: :destroy
index({ability: 1,permission_for_id: 1},unique: true)
end
class Role
include Mongoid::Document
field :name, type: String
has_and_belongs_to_many :permissions
has_and_belongs_to_many :users
belongs_to :role_for, polymorphic: true
index({name: 1,role_for_id: 1},unique: true)
end
and in User model I have :
Class User
include Mongoid::Document
.
.
.
def able?(scope,model,action)
# There must be something to load and check permissions
end
end
Role defined in a scope (role_for) and Permission defined in Models in Role's scope (project is scope and task is model in that scope) with permission_for.
In User model I need to get data from database and check if user is able to do that action, in large amount of data it take too long. able? function I've implemented is simple, it just load every user's role and every role's permission and then check if permission's ability is equal to action and then return true or false!
Is there any gem or code do something like that? and if there's not, could you give me advise on how to implement role and permission in such way, with much less database load?
Many many tahnks
Edit 1
Ok, I've created this relation and managed to use it in my models, performance in normal use is ok, but when I want to get huge amount data it's very slow. I need to cache roles and permissions in scope model, how can I do such thing? Is there any plugin for rails can do that for me?
Our product is near soft-launch and I implemented that solution but with minor tweaks :
How I've done RBAC :
Project <--- Role <---> Permissions ---> Task ^ (ability) | | V User (able?)This schema is very simplified version of final implementation but the concept is same
User.able?(model,ability)returns true if union of all permissions of user's related roles witch are related to model has a permission with ability.permission >> View Edit Delete V Role -------------------------------- 1 true false false 2 true true false 3 false true false -------------------------------- result true true falseI case of user has role 1,2,3 then user can
view,editbut can'tdeleteTo solve Performance Issue and Database Hit used russian doll caching, for each role I cache Hash representation of permissions :
And then merge this all this hashes for user and again cache that new hash.
In each call of
able?method of User class I get that hash (from cache or if changed generate new from database) and Job Done :)Our worst problem about this caching was cache expiry. So we decided to add new functionality to our ORM (MongoID)
Adding or removing permissions from role will update an attribute in role model (without updating it's timestamps)
For role-user on add/remove/edit role we do so and also for project-role relation.
But for task-permission we've done nothing, because permissions will never change (ability and ID is important).
For role-permission relation update won't trigger update_permission on role.
Hope this help for anybody reach this point.