Rails - Jun 2006 - Adding ''author'' functionality to UserEngine / RBAC roles

I''m trying to add / extend the default UserEngine schema 
(Guest/User/Admin) to support author only Update/Delete functions. At 
the moment, I allow ''Guest'' to read/view all records, and User
additionaly has access to create/edit/destroy, however this means that 
any registered user is able to modify any record.

My first thought was to add another filter in the chain after the 
UserEngine''s authorize_action. So, I added:

prepend_after_filter :author_permission, :except => [:show, ... ]

In my author_permission i simply check a conditional:
  session[:user].id != @object.user_id

And based on that output error messages etc. Now, this seems to work 
when I try to call ''edit'' on an object, I get redirected and
get my
notification which says that  I''m not an author, hence I can''t
edit.
However, destroy, which does not render anything seems to pass right 
through. So it seems like the action is performed right after 
:authorize_action and :author_permissions is not checked. Is there 
something I''m missing in the the filter chaining rules?

-- Another thought that crossed my mind would be to add an
''Author'' role
in UserEngine, but then I''m not clear how to check the permissions. 
Would I have to create a ''permission'' object for each
''object'' that i
try to protect and then assign them to an author role?

Any suggestions/pointers?

You can see my :author_permissions @ 
http://rafb.net/paste/results/cv5XMC30.html

Cheers,
Ilya


-- 
Posted via http://www.ruby-forum.com/.