Seems to be working in individual controller. However, if I try to place the delete_authorized in application controller, it doesn't work. Thanks a lot to all your support.
On Apr 24, 9:44 am, Kenny Ortmann <[email protected]> wrote: > You need to do two different things here. To get rid of the delete link if > the user is an admin you need to look at > thishttp://wiki.github.com/activescaffold/active_scaffold/per-request-con... > > inside of the before filter you will need to do > active_scaffold_config.actions.exclude :delete and > active_scaffold_config.actions.add :delete > > This only removes the link from the screen though. if a user would hit the > action on the controller they could still potentially delete the record, > this is where you use the > delete_authorized? method and just have that method return false if the user > is not an admin. > > You do not need to use RESTful authentication. there are already hooks > built into active scaffold that allow you to see if the user is authorized > for that action. > > On Thu, Apr 23, 2009 at 5:18 PM, [email protected] < > > [email protected]> wrote: > > > Tried delete_authorized? destroy_authorized, using the security layer. > > Also I've tried "before_filter :add_delete_if_admin" method. I am > > still able to delete using a non-admin user. I can't even hide the > > delete option base on the user permission. > > > Soren, when you mention the "RESTful authentication", is it already > > built in activescaffold? I'am using a custom user system base on the > > login generator. Please shred me some light. Please..... > > > On Apr 10, 1:39 pm, Soren <[email protected]> wrote: > > > Check out the wiki section on github - and in particular the one on > > > security. > > > > It will take you through the various levels of security - and they do > > > actually work. > > > > To limit a controller action just use: > > > > #{action_name}_authorized? in you controller or helper. So far I can > > > only make it work with the build-in controllers - for your own > > > controllers I just posted to figure out how to do that. > > > > def update_authorized? > > > (['admin', 'something', 'something'].include?(current_user.role)) > > > end > > > > the role needs to match what your authentication system gives you - > > > this works with restful_authentication > > > > And if you need something more detailed here is what I use in one of > > > models to prevent non-admins from destroying a record: > > > def authorized_for_destroy? > > > if existing_record_check? > > > if current_user.role == 'admin' > > > return true > > > else > > > return (self.user_id == current_user.id) > > > end > > > else > > > return true > > > end > > > > end > > > > On Apr 10, 6:27 am, Kenny Ortmann <[email protected]> wrote: > > > > > it might be :destroy instead of delete > > > > > On Thu, Apr 9, 2009 at 3:13 PM, [email protected] < > > > > > [email protected]> wrote: > > > > > > I've tried this and the admin role checking works but didn't add the > > > > > "delete" action to the menu. I've added some debug session data to > > > > > verified that. Maybe something is wrong with > > > > > "active_scaffold_config.actions.add :delete" statement? > > > > > if @session['user'].admin > > > > > active_scaffold_config.actions.add :delete > > > > > �...@session['permission']="1" > > > > > else > > > > > > I've added the filter definition in application controller and added > > > > > the before filter to the controller where I need to add the delete. > > > > > But the delete doesn't show. > > > > > > On Apr 7, 11:36 am, Kenny Ortmann <[email protected]> wrote: > > > > > > You can't get to the session when you are declaring the config. > > You need > > > > > to > > > > > > do this on a before filter. > > > > > > > before_filter :add_delete_if_admin > > > > > > > def add_delete_if_admin > > > > > > if session['user'].admin > > > > > > active_scaffold_config.actions.add :delete > > > > > > else > > > > > > active_scaffold_config.actions.exclude :delete > > > > > > end > > > > > > end > > > > > > > you should also implement this method, which will prevent the > > deletion > > > > > from > > > > > > happening if someone is trying to url hijack and delete things. > > > > > > > def delete_authorized? > > > > > > session['user'].admin > > > > > > end > > > > > > > On Mon, Apr 6, 2009 at 11:27 PM, [email protected] < > > > > > > > [email protected]> wrote: > > > > > > > > Does anyone know how to check the current user field (I have an > > admin > > > > > > > field to have a simple role base permission level) in the > > > > > > > "config.actions.add :delete" line? > > > > > > > > The generated loginsystem store the session['user'], and I was > > able to > > > > > > > use that object data in the view but not the controller where I > > use > > > > > > > config.actions.add to add the delete as an option for admin only. > > > > > > > > I tried it with @session['user'].admin, session['user'], and > > other > > > > > > > variations and it wasn't able to even pull that session up. > > > > > > > > Can anyone please help? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "ActiveScaffold : Ruby on Rails plugin" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/activescaffold?hl=en -~----------~----~----~----~------~----~------~--~---
