Forget it, I figured out it was the "new_record?" that was doing it and by removing that from the authorized_for_create? command worked perfectly.
Thanks again, Carl On Wed, May 27, 2009 at 9:04 AM, Carl Anderson <[email protected]> wrote: > Awesome, it works now. It will probably be too slow because of the way > I set up the query, if it ever gets busy, but I doubt many people will > use this besides myself. One question, I tried this: > > def authorized_for_create? > #Grays out the edit link when the user isn't the creator > new_record? || current_user.id == self.universe.creator_id || > current_user.userlimits.find(:first, :conditions => "universe_id = > #{self.universe_id}").rights >= 2 > end > > and this: > > def authorized_for_new? > #Grays out the edit link when the user isn't the creator > new_record? || current_user.id == self.universe.creator_id || > current_user.userlimits.find(:first, :conditions => "universe_id = > #{self.universe_id}").rights >= 2 > end > > And the same code works great for the all the other actions, but the > "Create New" link in the upper right hand corner never gets grayed > out, even when the current user only has rights == 1. Is that a bug, > or is there some other way to disable that link? > > Thanks, > Carl > > On Tue, May 26, 2009 at 11:56 PM, Sergio Cambra .:: entreCables S.L. > ::. <[email protected]> wrote: >> I have debugged because I didn't remember how worked ActiveScaffold security >> code. Look at _list_actions.html.erb >> First, call to link.security_method in controller. Controller method check >> permissions against the class, which check permissions against an empty >> record. If it's authorized link will be shown, then permission is checked >> against the record, if it is not authorized link will be disabled. >> >> So, you should authorize for update new records (it sounds strange, I know): >> def authorized_for_update? >> new_record? || current_user.id == self.creator_id >> end >> >> Also, return false unless current_user.id == self.creator_id, is always >> false, because when current_user.id == self.creator_id it returns nil. >> >> On Lunes, 25 de Mayo de 2009 06:55:23 Carl escribió: >>> I'm using the master trunk of AS with Rails 2.3.2 >>> >>> In one of my models I need to prevent the user from modifying the >>> model unless the current_user.id == creator_id. I am using the >>> nifty_authentication generator so I thought that perhaps the >>> current_user wasn't being passed through so I added a logger statement >>> to test things and I've run into something odd. Here's the code in my >>> model: >>> >>> class Universe < ActiveRecord::Base >>> has_many :permissions >>> has_many :users, :through => :permissions >>> belongs_to :creator, :class_name => "User", :foreign_key >>> => :creator_id >>> >>> def authorized_for_update? >>> logger.error "current user id = #{current_user.id}, self stats = # >>> {self.to_yaml}" >>> return false unless current_user.id == self.creator_id >>> end >>> end >>> >>> The logger statement reads like this in the log (there is currently >>> only one model in the database of this type currently): >>> >>> current user id = 1, self stats = --- !ruby/object:Universe >>> attributes: >>> name: >>> created_at: >>> updated_at: >>> creator_id: >>> description: >>> attributes_cache: {} >>> >>> new_record: true >>> >>> >>> So current_user.id is being set correctly, but shouldn't this have the >>> stats for the current model in it rather than a blank model? The model >>> in question should be showing up like this: >>> >>> --- !ruby/object:Universe >>> attributes: >>> name: Avatars >>> created_at: 2009-05-24 21:32:38 >>> updated_at: 2009-05-25 01:53:56 >>> id: "1" >>> creator_id: "1" >>> description: blah, blah >>> attributes_cache: {} >>> >>> >>> If anyone has any idea what I'm doing wrong here I'd really appreciate >>> it.I've looked through the other posts on here and it seems like it >>> should be working. >>> >>> >> >> -- >> Sergio Cambra .:: entreCables S.L. ::. >> Nicolás Guillén 6, locales 2 y 3. 50.018 Zaragoza >> T) 902 021 404 F) 976 52 98 07 E) [email protected] >> >> >> >> >> > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "ActiveScaffold : Ruby on Rails plugin" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/activescaffold?hl=en -~----------~----~----~----~------~----~------~--~---
