I have an Organization that has_many Affiliations And a mission that has_one Organization
So i can do this:
m = Mission.first
m.organization.affiliations
A user also has_many affiliations so I can do:
u = User.first
u.affiliations
In declarative_authorization I want a user to be able to manage a mission if he is affiliated to the organization of the mission. I have this:
has_permission_on :missions, :to => [:manage] do
if_attribute :organization => { :affiliations => intersects_with { user.affiliates.type_admin } }
end
But I'm getting this error:
Permission denied: new not allowed for #<User id: 2, firstname: "Miguel", lastname: "Alho", email: "blah@blah.com", birthday: "2010-07-05 20:24:00", crypted_password: "...", password_salt: "...", persistence_tok开发者_StackOverflow中文版en: "...", perishable_token: "...", created_at: "2010-03-05 20:25:34", updated_at: "2010-03-30 15:45:36"> on #<Mission id: nil, user_id: nil, organization_id: nil, name: nil, objectives: nil, created_at: nil, updated_at: nil>
The Mission and Organization are nil. I think that is because on the new, the mission.organization dosn't exists.
On the mission controller I have this:
def new
if(params[:organization_id])
session[:organization_id] = params[:organization_id]
@mission = Organization.find_by_id(params[:organization_id]).missions.build
end
end
I can't speak to why your technique isn't working, but here's how I accomplished a similar thing.
From what I gather in your code examples you only want users that are affiliated with a mission's organization to be able to manage that mission. Furthermore that user must be of type admin. What I've done in the past is created a has_many relationship in your organization model that has a few extra conditions that filter out affiliations that not of type admin:
has_many :admins, :source => :user, :through => :affiliations, :conditions => "affiliations.type = 'admin'"
Then in your authorization_rules.rb you add in this rule:
has_permission_on :missions, :to => [:manage] do { if_attribute :organization => {:admins => contains {user}}}
精彩评论