Hi! I recently started with RoR and this may be a newbie question. I have a company table, employee table and transactions table. 1 company has many employees. Each employee performs many transactions. Employees from different companies LOGIN to the system to record their transactions. Employees can search on all transactions associated to their companies (indirect relationship via employee), and edit only the transactions entered by them. (of course my actual application has several objects like transactions which employees do, and I am trying to implement the same thing for each). So basically, I am trying to implement a ''view'' of the data once an employee logs in, which shows only those transactions, which correspond to the employee''s companies. The simple (and tedious way) is to modify all controllers options and change all find_* methods to take an appropriate ID to restrict the records it returns. Given that there are several entities, this is a tedious approach. Is there some other way to configure this ''data based security'' ? A simple way which causes the model to restrict the records it throws out in all cases to an appropriate subset? I looked at security frameworks like acts_as_authenticated (which handles only authentication and hence not relevant), and acl_system2 (which is RBAC, and not neccessarily data based). Looking forward to some help! -Ashish -- Posted via http://www.ruby-forum.com/.
On Tuesday, August 01, 2006, at 10:16 PM, Ashish Bansal wrote:>Hi! >I recently started with RoR and this may be a newbie question. >I have a company table, employee table and transactions table. >1 company has many employees. Each employee performs many transactions. >Employees from different companies LOGIN to the system to record their >transactions. Employees can search on all transactions associated to >their companies (indirect relationship via employee), and edit only the >transactions entered by them. >(of course my actual application has several objects like transactions >which employees do, and I am trying to implement the same thing for >each). > >So basically, I am trying to implement a ''view'' of the data once an >employee logs in, which shows only those transactions, which correspond >to the employee''s companies. >The simple (and tedious way) is to modify all controllers options and >change all find_* methods to take an appropriate ID to restrict the >records it returns. >Given that there are several entities, this is a tedious approach. > >Is there some other way to configure this ''data based security'' ? A >simple way which causes the model to restrict the records it throws out >in all cases to an appropriate subset? >I looked at security frameworks like acts_as_authenticated (which >handles only authentication and hence not relevant), and acl_system2 >(which is RBAC, and not neccessarily data based). > >Looking forward to some help! >-Ashish > >-- >Posted via http://www.ruby-forum.com/. >_______________________________________________ >Rails mailing list >Rails@lists.rubyonrails.org >http://lists.rubyonrails.org/mailman/listinfo/railsI think a plugin was recently released called ''acts_as_view'' that does this. _Kevin www.sciwerks.com -- Posted with http://DevLists.com. Sign up and save your mailbox.
Ashish Bansal wrote:>Hi! >I recently started with RoR and this may be a newbie question. >I have a company table, employee table and transactions table. >1 company has many employees. Each employee performs many transactions. >Employees from different companies LOGIN to the system to record their >transactions. Employees can search on all transactions associated to >their companies (indirect relationship via employee), and edit only the >transactions entered by them. >(of course my actual application has several objects like transactions >which employees do, and I am trying to implement the same thing for >each). > >So basically, I am trying to implement a ''view'' of the data once an >employee logs in, which shows only those transactions, which correspond >to the employee''s companies. >The simple (and tedious way) is to modify all controllers options and >change all find_* methods to take an appropriate ID to restrict the >records it returns. >Given that there are several entities, this is a tedious approach. > >Is there some other way to configure this ''data based security'' ? A >simple way which causes the model to restrict the records it throws out >in all cases to an appropriate subset? >I looked at security frameworks like acts_as_authenticated (which >handles only authentication and hence not relevant), and acl_system2 >(which is RBAC, and not neccessarily data based). > >Looking forward to some help! >-Ashish > > >Wouldn''t accessing those records through employee associations do the trick? Example: @employee.transactions.find :all instead of Transaction.find :all -- Jack Christensen jackc@hylesanderson.edu