You need to do two different things here. To get rid of the delete link if the user is an admin you need to look at this http://wiki.github.com/activescaffold/active_scaffold/per-request-configuration
inside of the before filter you will need to do active_scaffold_config.actions.exclude :delete and active_scaffold_config.actions.add :delete This only removes the link from the screen though. if a user would hit the action on the controller they could still potentially delete the record, this is where you use the delete_authorized? method and just have that method return false if the user is not an admin. You do not need to use RESTful authentication. there are already hooks built into active scaffold that allow you to see if the user is authorized for that action. On Thu, Apr 23, 2009 at 5:18 PM, [email protected] < [email protected]> wrote: > > Tried delete_authorized? destroy_authorized, using the security layer. > Also I've tried "before_filter :add_delete_if_admin" method. I am > still able to delete using a non-admin user. I can't even hide the > delete option base on the user permission. > > Soren, when you mention the "RESTful authentication", is it already > built in activescaffold? I'am using a custom user system base on the > login generator. Please shred me some light. Please..... > > On Apr 10, 1:39 pm, Soren <[email protected]> wrote: > > Check out the wiki section on github - and in particular the one on > > security. > > > > It will take you through the various levels of security - and they do > > actually work. > > > > To limit a controller action just use: > > > > #{action_name}_authorized? in you controller or helper. So far I can > > only make it work with the build-in controllers - for your own > > controllers I just posted to figure out how to do that. > > > > def update_authorized? > > (['admin', 'something', 'something'].include?(current_user.role)) > > end > > > > the role needs to match what your authentication system gives you - > > this works with restful_authentication > > > > And if you need something more detailed here is what I use in one of > > models to prevent non-admins from destroying a record: > > def authorized_for_destroy? > > if existing_record_check? > > if current_user.role == 'admin' > > return true > > else > > return (self.user_id == current_user.id) > > end > > else > > return true > > end > > > > end > > > > On Apr 10, 6:27 am, Kenny Ortmann <[email protected]> wrote: > > > > > it might be :destroy instead of delete > > > > > On Thu, Apr 9, 2009 at 3:13 PM, [email protected] < > > > > > [email protected]> wrote: > > > > > > I've tried this and the admin role checking works but didn't add the > > > > "delete" action to the menu. I've added some debug session data to > > > > verified that. Maybe something is wrong with > > > > "active_scaffold_config.actions.add :delete" statement? > > > > if @session['user'].admin > > > > active_scaffold_config.actions.add :delete > > > > @session['permission']="1" > > > > else > > > > > > I've added the filter definition in application controller and added > > > > the before filter to the controller where I need to add the delete. > > > > But the delete doesn't show. > > > > > > On Apr 7, 11:36 am, Kenny Ortmann <[email protected]> wrote: > > > > > You can't get to the session when you are declaring the config. > You need > > > > to > > > > > do this on a before filter. > > > > > > > before_filter :add_delete_if_admin > > > > > > > def add_delete_if_admin > > > > > if session['user'].admin > > > > > active_scaffold_config.actions.add :delete > > > > > else > > > > > active_scaffold_config.actions.exclude :delete > > > > > end > > > > > end > > > > > > > you should also implement this method, which will prevent the > deletion > > > > from > > > > > happening if someone is trying to url hijack and delete things. > > > > > > > def delete_authorized? > > > > > session['user'].admin > > > > > end > > > > > > > On Mon, Apr 6, 2009 at 11:27 PM, [email protected] < > > > > > > > [email protected]> wrote: > > > > > > > > Does anyone know how to check the current user field (I have an > admin > > > > > > field to have a simple role base permission level) in the > > > > > > "config.actions.add :delete" line? > > > > > > > > The generated loginsystem store the session['user'], and I was > able to > > > > > > use that object data in the view but not the controller where I > use > > > > > > config.actions.add to add the delete as an option for admin only. > > > > > > > > I tried it with @session['user'].admin, session['user'], and > other > > > > > > variations and it wasn't able to even pull that session up. > > > > > > > > Can anyone please help? > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "ActiveScaffold : Ruby on Rails plugin" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/activescaffold?hl=en -~----------~----~----~----~------~----~------~--~---
