Read up on ActiveRecord with_scope - you might want to do something like this:
Patient.with_scope(
:find=>{:conditions=>[''''groups.user_id=?",User.current_user],
:include=>[:groups]} ) do
Patient.find(:all, :conditions=><other conditions for patient go
here>, ...)
end
This is a really nicely structured way of separating the authorisation
concern from the actual query.
Note that you could also include the user table:
:include=>{:groups=>:user} and then use users.user_id in the
condition.
Cheers,
Max
On 8/31/06, Remco Hh
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:>
> Hello, i Found a lot of good authorization plugins which can protect
> controller actions. I need those of course, but i also need something
> else:
>
> I have a large database with patients and based on the authenticated
> user and the groups he or she belongs to, the user only may see his own
> patients.
> In my php app, i did this with a query like
>
> select patient.name from patients,groups,users where
> patient.group_id=group.group_id and group.user_id=user.user_id and
> user_id $authenticated user.
>
> Are there better (and more readable ways) in rails to do this?
> is there a plugin which supports this kind of authorization
>
> looking forward for your answers!
>
> regards,
>
> Remco
>
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---