Ilya Grigorik
2006-Jun-07 19:00 UTC
[Rails] Adding ''author'' functionality to UserEngine / RBAC roles
I''m trying to add / extend the default UserEngine schema (Guest/User/Admin) to support author only Update/Delete functions. At the moment, I allow ''Guest'' to read/view all records, and User additionaly has access to create/edit/destroy, however this means that any registered user is able to modify any record. My first thought was to add another filter in the chain after the UserEngine''s authorize_action. So, I added: prepend_after_filter :author_permission, :except => [:show, ... ] In my author_permission i simply check a conditional: session[:user].id != @object.user_id And based on that output error messages etc. Now, this seems to work when I try to call ''edit'' on an object, I get redirected and get my notification which says that I''m not an author, hence I can''t edit. However, destroy, which does not render anything seems to pass right through. So it seems like the action is performed right after :authorize_action and :author_permissions is not checked. Is there something I''m missing in the the filter chaining rules? -- Another thought that crossed my mind would be to add an ''Author'' role in UserEngine, but then I''m not clear how to check the permissions. Would I have to create a ''permission'' object for each ''object'' that i try to protect and then assign them to an author role? Any suggestions/pointers? You can see my :author_permissions @ http://rafb.net/paste/results/cv5XMC30.html Cheers, Ilya -- Posted via http://www.ruby-forum.com/.
Reasonably Related Threads
- UserEngine -- Permission.synchronize_with_controllers -- trouble with my own controller modules
- Modules, controllers and inheritance
- Authentication: UserEngine or own creation?
- Should I be extending UserEngine for User Preferences?
- UserEngine + User Profiles