开发者

declarative_authorization: control access to nested resource that doesn't have an explicit model

开发者 https://www.devze.com 2023-01-08 01:34 出处:网络
I have a model that allows a User to mark other Users as Favorites. This HABTM relationship is defined in the User model:

I have a model that allows a User to mark other Users as Favorites. This HABTM relationship is defined in the User model:

class User < ActiveRecord::Base
  has_and_belongs_to_many :favorites, :class_name => "User", :join_table => "favorites", :association_foreign_key => "favorite_id", :foreign_key => "user_id"
end

The FavoritesController only requires three actions (index, create, destroy) to manage a User's Favorites.

Rule: Only an authenticated user (current_user) is allowed to manage their Favorites.

Initially, I tried to represent this rule in the authorization_rule.rb file:

# allow authenticated user to update profile
has_permission_on :users, :to => :change do
  if_attribute :id => is { user.id }
  has_permission_on :favorites, :to => [:index,:create,:destroy]
end

This didn't work, probably because the Favorite doesn't have an explicit model (i.e. favorite.rb). Though I could be wrong about this.

It seems like the correct approach would be to represent the rule in the FavoritesController:

filter_access_to :all, :nested_in => :users
...

But I'm not certain how to represent the rule properly here.

Assistance is really appreciated.

** edit **

It was suggested that I use a context to control access in this situation: setting permissions for a no-model controller .

I 开发者_StackOverflow中文版tried modifying the FavoritesController:

filter_access_to :all, :context => :favorites

This change had no effect.

** /edit **

0

精彩评论

暂无评论...
验证码 换一张
取 消