I need to make sure a user has the correct permissions before allowing them to edit an employee's information. Specifically the user has to be an admin and the user must belong to the same company as the employee. What's the best way to do something like this?
def EmployeesController < ApplicationController
before_filter :requires_admin_from_company(cid)
# Only allow access to this if user.admin is true and user.company_id is equal to employee.company_id
def update
# Somehow pass @employee.company_id into admin
开发者_运维知识库@employee = Employee.find(params[:id])
@employee.update_attributes(params[:employee])
end
def requires_admin_from_company(cid)
if !@current_user.admin? || @current_user.company_id != cid
redirect_to login_url
end
end
end
How about
before_filter lambda{ requires_admin_from_company(params[:cid]) }, :only => :create
I've found Authorization with CanCan to be very helpful in these situations
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论