Some developers confuse the terms Authentication and Authorization. At first, I also kind of lumped them both in the same bucket. Eventually, I figured out the differences, and wanted to address the issue here to help clarify things a bit.
User *authentication* is looking them up in the Users database to ensure they have an account in your system.
User *authorization* is a system of determining what areas of your app the User can access once they are authenticated into the site.
I use two popular Rails gems that pretty much give you a drop-in solution for authentication and authorization. Devise
is a Rails gem for User Authentication, and CanCan
(by Ryan Bates of RailsCasts fame) is for User Authentication.
I ran across these great articles on another blog that describes using Rails and CanCan together:
Article 1: Getting Started with Devise and CanCan The article includes very detailed steps and code samples for both Devise and CanCan.
Article 2: Devise and CanCan – Restful Resources for Administrators
You can also read my blog post about Getting started with Devise
, which includes lots of other helpful Devise links to get you started.