Chapter 7. Basic access control
This chapter covers
- Authorizing administrative users
- Organizing code in namespaces
- Seeding the database with sample data
- Adding an admin-only interface to edit user records
As your application now stands, anybody, whether they’re signed in or not, can create new projects. In this chapter, you’ll restrict access to certain actions in the ProjectsController, allowing only a certain subset of users—users with one particular attribute that’s set in one particular way—to access the actions.
You’ll track which users are administrators by putting a Boolean field called admin in the users table. This is the most basic form of user authorization, not to be confused with authentication, which you implemented in chapter 6. Authentication is the process users go through to confirm their identity, whereas authorization is the process used by the system to determine which users should have access to certain things. (More simply, authentication is “Who are you?” and authorization is “Now that I know who you are, what are you allowed to do?”)
You’ll see how you can organize code into namespaces so that you can easily restrict access to all subcontrollers to only admin users. If you didn’t do this, you’d need to restrict access on a per-controller basis, which is prone to errors—it’s easy to miss one and accidentally leave a part of your app wide open for the world to use and abuse.