I have an application that requires some complex access rules. Certain fields can only be edited by certain roles. I am using restful_authentication and role_requirement plugins so I am fine with restricting an entire controller or specific action based on a role. I am trying to come up with a solution that would allow me to specify something as a text field but make it just plain text if the user does not have edit permissions. Anyone have any ideas on fine grain access control like this? Can you point me to a project that uses something like this? TIA, Sean --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Danimal
2008-Mar-30 02:33 UTC
Re: Role based restriction for fields (not views or actions)
Sean, I don''t have any leads for you, but I''m very interested in this myself. I do have one thought: I imagine you could roll your own text field helper method (and then probably helper methods for the other form elements). Something like: require ''active_support/inflector.rb'' module ActionView module Helpers module FormHelper def secured_text_field(object_name, method, options = {}) current_user.has_role?(options[:required_role]) ? "<div id=\"#{object_name}_#{method} \">#{object_name.instance_eval(method.to_s)}</div>" : text_field(object_name, method, options) end end end end # (I added the above to the ApplicationHelper.rb file but not within the Module namespace... i.e. after it.) And you''d call it with something like: <% form_for(@foo) do |f| %> <p> <%= f.label :name %><br /> <%= secured_text_field @foo, :name, :required_role => "admin" %> </p> <% end %> If the current_user has the "admin" role, then you''d get: <form tag...> <p> <label for="foo_name">Name</label><br /> <input id="foo_name" name="foo[name]" size="30" type="text" value="" /> </p> </form> But if the current_user has any other role, you''d get: <form tag...> <p> <label for="foo_name">Name</label><br /> <div id="foo_name">Some Name</div> </p> </form> I''m sure there''s a cleaner way, but the above works. I tried doing it within the FormBuilder constrains (i.e. "f.secured_text_field...") but I don''t understand that code... lots of meta-programming there. Anyway, I tested the above and it works. Hopefully that gets you started. -Danimal --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Danimal
2008-Mar-30 02:45 UTC
Re: Role based restriction for fields (not views or actions)
Heh... I''m still learning. The namespacing was unnecessary. Slap it right in the middle of the ApplicationHelper module, I.e.: module ApplicationHelper def secured_text_field(object_name, method, options = {}) options[:required] == "yes" ? content_tag(:div, "#{object_name.instance_eval(method.to_s)}", :id => "#{object_name.class.to_s.underscore}_#{method}") : text_field(object_name, method, options) end end There''s probably a cleaner way to get "foo_name" for the ID but the above works... and is terse and to the point. -Danimal --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi, i think there is a ruby gem called model_security which provides such fine grained access control from within the model. I don''t know though if it''s mantained and up to date and/or runs nicely on rails 2. Hops that helps. Cheers! Alberto. On Mar 29, 7:43 pm, schof <sean.schofi...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I have an application that requires some complex access rules. > Certain fields can only be edited by certain roles. I am using > restful_authentication and role_requirement plugins so I am fine with > restricting an entire controller or specific action based on a role. > > I am trying to come up with a solution that would allow me to specify > something as a text field but make it just plain text if the user does > not have edit permissions. Anyone have any ideas on fine grain > access control like this? Can you point me to a project that uses > something like this? > > TIA, > > Sean--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
sergecpelletier
2008-Mar-31 12:44 UTC
Re: Role based restriction for fields (not views or actions)
There''s also the acl2 plugin from Ezra. http://opensvn.csie.org/ezra/rails/plugins/dev/acl_system2/ It has a view helper, <% restrict_for "role" do %> which will let you only show what is part of the code block in the view. Hope this helps. Serge On Mar 30, 10:26 am, apm <alberto.perd...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi, > > i think there is a ruby gem called model_security which provides such > fine grained access control from within the model. > I don''t know though if it''s mantained and up to date and/or runs > nicely on rails 2. > > Hops that helps. > > Cheers! > Alberto. > > On Mar 29, 7:43 pm, schof <sean.schofi...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > I have an application that requires some complex access rules. > > Certain fields can only be edited by certain roles. I am using > > restful_authentication and role_requirement plugins so I am fine with > > restricting an entire controller or specific action based on a role. > > > I am trying to come up with a solution that would allow me to specify > > something as a text field but make it just plain text if the user does > > not have edit permissions. Anyone have any ideas on fine grain > > access control like this? Can you point me to a project that uses > > something like this? > > > TIA, > > > Sean--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---