I have debugged because I didn't remember how worked ActiveScaffold security
code. Look at _list_actions.html.erb
First, call to link.security_method in controller. Controller method check
permissions against the class, which check permissions against an empty
record. If it's authorized link will be shown, then permission is checked
against the record, if it is not authorized link will be disabled.
So, you should authorize for update new records (it sounds strange, I know):
def authorized_for_update?
new_record? || current_user.id == self.creator_id
end
Also, return false unless current_user.id == self.creator_id, is always false,
because when current_user.id == self.creator_id it returns nil.
On Lunes, 25 de Mayo de 2009 06:55:23 Carl escribió:
> I'm using the master trunk of AS with Rails 2.3.2
>
> In one of my models I need to prevent the user from modifying the
> model unless the current_user.id == creator_id. I am using the
> nifty_authentication generator so I thought that perhaps the
> current_user wasn't being passed through so I added a logger statement
> to test things and I've run into something odd. Here's the code in my
> model:
>
> class Universe < ActiveRecord::Base
> has_many :permissions
> has_many :users, :through => :permissions
> belongs_to :creator, :class_name => "User", :foreign_key
> => :creator_id
>
> def authorized_for_update?
> logger.error "current user id = #{current_user.id}, self stats = #
> {self.to_yaml}"
> return false unless current_user.id == self.creator_id
> end
> end
>
> The logger statement reads like this in the log (there is currently
> only one model in the database of this type currently):
>
> current user id = 1, self stats = --- !ruby/object:Universe
> attributes:
> name:
> created_at:
> updated_at:
> creator_id:
> description:
> attributes_cache: {}
>
> new_record: true
>
>
> So current_user.id is being set correctly, but shouldn't this have the
> stats for the current model in it rather than a blank model? The model
> in question should be showing up like this:
>
> --- !ruby/object:Universe
> attributes:
> name: Avatars
> created_at: 2009-05-24 21:32:38
> updated_at: 2009-05-25 01:53:56
> id: "1"
> creator_id: "1"
> description: blah, blah
> attributes_cache: {}
>
>
> If anyone has any idea what I'm doing wrong here I'd really appreciate
> it.I've looked through the other posts on here and it seems like it
> should be working.
>
>
--
Sergio Cambra .:: entreCables S.L. ::.
Nicolás Guillén 6, locales 2 y 3. 50.018 Zaragoza
T) 902 021 404 F) 976 52 98 07 E) [email protected]
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"ActiveScaffold : Ruby on Rails plugin" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/activescaffold?hl=en
-~----------~----~----~----~------~----~------~--~---
