We will build an application for the Coder Alliance for Racial Equity (CARE) which is currently comprised of only CTD people. The application is to provide documentation and resources on racial history, equity, strategy, etc.
High Level Requirements
(1) administrator logon
(2) a timeline of historical events, using a javascript timeline control.
(3) Ability for the administrators to add new events to the timeline. In addition to the date, these might include pictures, text summaries, and links.
(4) a display of resources by category. A resource would be a link and a text summary, along with searchable keywords.
(5) Ability for the administrators to add new categories and resources
There would be no smartphone app, but we would (as a run-at) attempt to make the app viewable in smartphone browsers.
Although administrators would need to log in, anyone would be able to view the application. Depending upon time constraints, we might add:
(6) A moderated blog.
User and Administrator Views
We want different views for users (who may not be logged in and do not have the administrator role) and administrators (who are logged in and have the administrator role).
Right now, we have CRUD operations on timeline events. All of the views associated with the events_controller should be visible only to the administrator. Moreover, they should have access control so that they can’t be performed except by an administrator.
Right now, we have CRUD operations on resources. All of the existing views should only be seen by an administrator, and should have access controls so that they are only accessible by an administrator. However, some additional views should be added for users: an user_index method and view for resources, which would show the list of resources. In this list, for each resource, we would have the title, and if a link is available for the resource, the title would be shown as a clickable link that would take you to the target in a separate tab. Also, it would show the first 20 characters of the description with a … following, and then a show button. The show button should take you to the user_show view, which would have the complete resource shown, including all of the description. Again the title would be a clickable link. The link is an optional attribute, and if it is not present, the title would just be shown as non-clickable text. There would be a back button, but no edit button.
We need a new controller, the timelines controller. It would have one method which would show a timeline. The timeline_id of the timeline to show would be passed as a parameter.
The navbar should have the following links: on the left, home, followed by resources. If the logged on user has a role of “administrator” it should also have an “administration” pulldown with an “edit resources” link, which would take you to the current resources index page, and an “edit events” link which would take you to the events index page, followed by a”show sample” link which would take you to the sample timeline. On the right, the navbar should have a logon link (if no one is logged in) or a log off link if a user is logged in. The home link should send you to the show method of the timeline controller, passing as a parameter “CARE-alliance”. The show sample link would connect to the same controller, passing as a parameter “Sample”.
When to Show Administrator Links and Views
There are some devise helper methods, which are user_signed_in? and current_user. If the user is signed in, you can check whether current_user.role == “administrator”. Only if a user is signed in will current_user be defined, and only if the current_user.role is “administrator” should the administrator links be shown.
How to Protect Controller Methods that are Only for Administrators
Suppose someone enters a route that goes to the events controller. This entire controller is for administrators only, so right at the top there should be an invocation of another Devise helper method:
before_action :authenticate_user!
This will ensure that the user must be logged in to do any of the methods of this controller. However this is only the first step. We also have to check to see if the logged in user is an administrator. So we will have a second method:
before_action :user_is_administrator?
This will be a private method that will check if the current user has the administrator role. If the user does not have the administrator role, the user_is_administrator method should set the flash.alert to “You are not authorized to perform that operation.” and should redirect to the home page.
The resources controller should also have these checks, except they should say:
before_action :authenticate_user!, except: [:user_index, :user_show] before_action :user_is_administrator?, except: [:user_index, :user_show]
This is because users are permitted to do user_index and user_show, without being logged in as an administrator.
Similarly, the timeline controller should do this access control, but in this case it should only be done if the timeline parameter that is passed to the controller is not “CARE-alliance”. This would prevent the non-administrative user from seeing the sample timeline.
