administrate icon indicating copy to clipboard operation
administrate copied to clipboard

Published 20 hours ago verified publisher icon thoughtbot

Using two instances of Administrate with their own dashboard

Open gabrielrotbart opened this issue 3 years ago • 3 comments

Hi,

I'm trying to use administrate for both our admin team (admin everything) and for each of our client organizations, as a administration dashboard for the organization owner (scoped only to allowable models, like the organization_membership).

I created two application_controllers under two namespaces, which seems to work fine. But I'm unsure how to separate the dashboards (one organisation_membership of /admin and one for /org_admin) as administrate looks for all of them under /dashboards

Thanks for the help and working on Administrate.

gabrielrotbart avatar Sep 15 '20 05:09 gabrielrotbart

Administrate generally assumes a one-to-one mapping between models and dashboards so this might be quite hard to do.

Do you use any sort of authorization gem (like Pundit)? That'd be the supported and recommended way to solve this problem.

nickcharlton avatar Sep 21 '20 11:09 nickcharlton

Thanks for all the work on Administrate! I have enjoyed using it.

Same question here, but I want to share my thoughts after reading the above discussions.

Based on my understanding (correct me if I'm wrong), the include Administrate::Punditize feature is sufficient in an environment where one person's permission is mostly "vertically-separated" from another. As an example of such, imagine an order-management system where

  1. The admin has access to all orders, stocks, and shipments
  2. Regional store managers have access to all orders, stocks, and shipments scoped to those in the region they are managing
  3. Regional store clerks have view-only access to all orders, stocks, and shipments to those in the region they are managing

Pundit is great because you can say "only people who are XXX can do things other than "show," and resolve_admin can be used to show only records from that region. In this case, I agree with @nickcharlton that one is best served with include Administrate::Punditize.

However, you have certain roles with very little or no overlap with other roles; it might be too cumbersome to keep going on this path.

Using the same example, imagine now you have these additional rules:

  • A supplier manager has access to all stocks and orders (just items and no PII)
  • A regional supplier manager has access to all stocks in their regions
  • A junior regional supplier manager has the same access as above but view-only

You can see that the supplier manager experience is different from the store manager's, and one can say it's more sustainable to maintain the supplier-manager-admin flow as a separate experience(product).

Even though, in this case, it's possible to implement some of the restrictions (like restricting access to order and shipment routes to only the store managers, under an authenticated block), you'll have to go to greater lengths if you want to restrict, say, certain SHOW_PAGE_ATTRIBUTES to only the store managers because you don't want the supplier managers to see PII fields in the orders. I'm assuming this is what prompted @gabrielrotbart to post this question, as it is the reason I'm posting this.

As a comparison, https://activeadmin.info/1-general-configuration.html ActiveAdmin supports this use case through namespaces. <== Not to be understood as "gem XXX does this so administrate should do too": depends on where administrate positions itself, it might make perfect sense to decide "administrate" doesn't do it.

liang3404814 avatar Nov 25 '20 06:11 liang3404814

I imagine if your administrate namespace is RegionalManager, you'd like your RegionalManager::ApplicationController to add support for:

dashboard_namespace :regional_manager
# or, assuming same namespace as controller
dashboard_namespace

Each controller in that namespace would then its dashboard models are RegionalManager::StockDashboard, RegionalManager::OrderDashboard, and so on.

Since this would be an opt-in feature, it would cause no breaks. Seems like a mild change, combining:

https://github.com/thoughtbot/administrate/blob/1a35ab210435995a5e3afcd1efd4163c9aff9f83/lib/administrate/resource_resolver.rb#L7 https://github.com/thoughtbot/administrate/blob/1a35ab210435995a5e3afcd1efd4163c9aff9f83/lib/administrate/resource_resolver.rb#L37

If this feature request is holding you up in building your application, you can accomplish this with no changes in the library, by overridding RegionalManager::OrdersController#dashboard in each namespaced admin controller. https://github.com/thoughtbot/administrate/blob/master/app/controllers/administrate/application_controller.rb#L128-L130

    def dashboard
      @dashboard ||= RegionalManager::OrderDashboard.new
    end

In my opinion running a couple instances of a library side-by-side with no conflicts is a mark of good modular design; your problem (access roles and permissions) seems like it calls for multiple ...Dashboard models per db model. So long as you don't mind doubling your app's dashboard code and maintaining separate code, go on ahead.

I suppose implementing this would depend on:

  • does overriding a controller's #dashboard enable you to use dual dashboards properly?
  • are you hoping to keep parallel copies of every dashboard in your app, or only for a couple models?
  • is anyone else experiencing a similar problem?

c4lliope avatar Dec 01 '20 18:12 c4lliope

Similar issue at https://github.com/thoughtbot/administrate/issues/1764

pablobm avatar May 13 '21 14:05 pablobm