Can I use token_authenticable (from Devise) on a different model than my main authentication model in Rails 3?

I have a User model that Devise manages - i.e. all users have email addy/username/pass, etc. If a user logs in, based on their permissions they get access to different things. That works fine.

But I have a Client model, that I would like to grant a token to so they can access one specific action on one specific controller.

Ideally, I would like to generate a token for client john.brown@abc.com (keep in mind that this is not a User.email, but a Client.email) so they can access the compare action for my stages controller, where stage has an id of 7.

I don't want them to be able to access any other stages, other than id7, and I don't want them to have to sign in. i.e. once they access that specific URL (for instance, myapp.com/stages/7/compare?token={unique token generated by devise}) they can开发者_StackOverflow see it. But they can't take that token and go to stages/8/compare for instance.

Is it possible for me to do that using Devise ?

If so, how ?

The purpose of Devise's TokenAuthenticatable strategy is to sign in a user that Devise manages via a token. So, devise has to already manage the model you're signing in, and it sounds like in your app that Client is not being managed by Devise. I do not think it will help you in this instance.

Devise is doing mostly authentication. What you need an authorization plugin. Try using cancan for example (https://github.com/ryanb/cancan). That will let you grant 'roles' to your users and authorize them to do (or not do) certain actions.

There's also a Railscast available: http://railscasts.com/episodes/192-authorization-with-cancan