I am trying to implement a basic user permissions system with three
access levels; 1, 2, and 3 (with 1 being the highest). A user should be
able to create a new user but they should only at or below their own
permissions level. e.g. a level 2 user who is logged in should only be
able to create a level 2 or level 3 user.
I have sessions set up such that a user must be logged in to access the
site and their user_id is stored in a session variable. The new and edit
views for the User model are designed so that only the appropriate
levels are displayed to the user. This is achieved by retrieving the
user_id from the session data, getting current users level, and using
the information to populate a drop down list.
I would like to add validation to my Users model to check that the user
who is adding user has the appropriate access level. This should protect
the database against someone bypassing the form.
I have tried to add the custom validation seen below but the session
variable :user_id is not available to the model.
def appropriate_level
user = User.find(session[:user_id])
errors.add_to_base("Cannot set user level above #{user.level}" )
if
level > user.level
end
Any ideas?
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---