I want to let users write small custom apps (think themes or plugins on Wordpress) and upload/run them on my site.

I'm thinking about using Sinatra apps for this since it would give the users a lot of flexibility, and then running them as middleware inside my rails app.

But I can't figure out the security implications of this. I tried creating a simple sinatra app as middleware, and it has access to all the rails models and everything - so that is bad. Is there a way for rack to keep these separate so that the sinatra apps are effectively sandboxed and can't do any bad things (outside of an API or some specific way I setup for them to communicate)?

There may be an easier way to accomplish this that I haven't thought of too, so ideas welcome. Thanks!