I spent my time yesterday looking for ways to administer the site. I wanted to have control of what users could and could not do. While I do want them making friends and creating events, I would not want them to be able to change their own user roles or delete other users. This is a problem that you could spend years, literal years trying to figure out. Every time Facebook works on their authorization model, thousands of voices cry out in terror and suddenly silence.
There are so many different approaches to choose from. You could hard-code the security in, you can put permissions in the database, You can have changeable permissions, Pre-made GUI solutions. You got Cancan, Active-admin, devise,
There is just so much out there, that it’s easy to lose sight of what your specific needs are. In programming, if you don’t build things to your specific needs, you could be asking for trouble. I found this really great screencast on railscasts about creating authorization from scratch. You can create a permissions model and wall off certain controller actions to certain user roles. The best way to do that is to have a pyramid of user roles with admins and the top, and banned accounts at the very bottom. Here’s what I want my authorization model to allow.
1. Administrators can do anything
Anything at all, whether it’s editing users, deleting users, or changing events. It’s not something I’ll delegate to any kind of customer service moderator, but it’ll make things easier if I just have total control. I’m also going to allow administrators to change the number of beta invites for each user which I will implement after the authorization model is complete.
2. Users can make friends, create events, create invites, but they can’t create, edit or destroy any events or users that are not theirs. Editing Game profiles is right out.
Pretty self explanatory stuff, until you try to explain it to a computer.
3. Beta Users need Beta Invites
I’m creating a beta user role because I don’t want new users being created without beta invites. The vanilla user class will just be around for testing purposes and when I take the app out of beta.
4. Banned Users should not be able to do anything.
Since this is a gaming website, there will eventually be griefers who try to make other users lives difficult. Implementing a banhammer of sorts will work as a kind of deterrent. It’s not much of one, but I believe it should be there until I can put more complicated safeguards in place.
So once the authorization is in place and the beta invites system is working, I will transfer the domain name, www.gameplaydate.com to my production server. The very first users will be myself and a few friends. Based on our experiences I can figure out which features I should implement next, and expand the circle of users as the app gets more advanced.