SpreeCommerce Admin Roles and Access

The concept of roles and permissions is about the ability to control what users can and cannot do within a website. Often a store needs separate people to manage different aspects of the administration and an open access to all admins is not always feasible and advisable.Using the Admin Roles and Access Spree Extension, a new Admin Role can be added and its corresponding permissions can also be selected from the admin end of a SpreeCommerce application.


Types of Permission levels

- Default Permission - Basic permission level required by a user to perform task on user end, like creating an order etc. Every role should be provided with this permission.

- Default Admin Permission - This permissions level is for the admin to be able to access the '/admin' route of the application.

- Manage All - Role with this permission can do everything ie he/she would have permission level of a ‘SuperAdmin’. This permission should only be given to users who are supposed to be able to access the complete application like store owner, super admin etc.


Pattern of the permissions

More permissions levels can be created following the undermentioned pattern.

<can/cannot> <action> <subject> <attributes>

Can/cannot - specifies whether the user with that permission can do or cannot do that task.

Action - specifies the action which can be done by that model or subject like update, index, create etc. There is a special action called 'manage' which matches every action.

Subject - specified the model like products, users etc. of which the permission is given. There is an special subject called all which matches every subject.

Attributes - specifies the attributes for which the permission is specified. Read-only actions shouldn't require this like index, read etc. But it is more secure if we specify them in other actions like create or update.

Examples :

can-manage-spree/product - can perform every action on Spree::Product but not on any other model or subject.

can-update-all - can update all models or subjects.

can-update-spree/product - can update only products, and not users, orders and other things.

can-update-spree/product-price - can update only price of products.

can-manage-all - can perform every action on all models.



The extension is open source and the code is available here



Follow us on twitter for more updates.