I have a roles table and I check authorization as:
def can_be_deleted_by?(user)
return false if user.role.nil?
valid_roles = %w{admin creator}
return false unless user.username == self.creuser ||
valid_roles.include?(user.role.name)
return true
end
One other thing I had to modify after using null obect was to check
user.role.nil? before calling user.role.name, which otherwise checks for
nil.name for anonymous user.
The delete action can be performed only by admin or the one who created
that topic/item. Hence I am using roles as well as check by
username(creator).
-
CS.
Bharat Ruparel wrote:
> Hello Carlos,
> I am glad it worked for you. Access control is a fundamental
> requirement along with authentication. Jim Neath's Bort which is
> available on Github, packages Role Requirements written by Tim Harper
> along with Restful Authentication for creating a baseline
> application. Tim has done an excellent job of implementing a
> "minimal" authorization plugin. I am using Bort to develop my own
> toolkit for creating applications.
> I looked at the article that you list above. It is very well written
> and very nice to learn from. The key thing missing from it is that it
> fails to deal with Roles and instead deals directly with users. I
> think a minimal layer of roles between users and controllers is a key
> requirement.
> I am not saying that Role Requirement is the only plugin that
> addresses it. It is just that it packaged with Bort which has other
> key plugins in addition to Restful Authentication and Role
> Requirements. Gets the job done.
> So instead of saying session[:current_user].nil? you may want to say
> [:current_user].has_role?('anonymous') for example. See the method
> "has_role?" provided by Role Requirement? That is the key in my
> opinion.
> I may be wrong, but that is where I am going with this.
> Hope this helps.
> Bharat
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
