On Domingo, 16 de Mayo de 2010 19:39:27 Benjamin Adler escribió:
> Hello!
>
> I'm wondering how exactly authorized_for_create? and authorized_for_new?
> work and which one I need to use. Does _new show/hide the "Create
> New"-link and _create simply (dis)allows creating a new instance and
> saving it into the db?
authorized_for_create is both for create action and action links with create
crud type, so authorized_for_create must be used to disallow creating a
record, becuase it will disallow access to new and create actions, and it must
be a class method (because there is no record to check permissions).
authorized_for_#{action_name}? was added for custom actions.
>
> Suppose there's an awesome_nested_set 'markers', and I'd like to allow
> only creation of root nodes and nodes directly below those (level 0 and 1).
>
> When I create a marker as a submarker of a root-marker, the request
> looks like this:
>
> Processing MarkersController#create (for x at y) [POST]
> Parameters: {"eid"=>"3f1ea33b0ab5b9c5bfe3ce2dc256ee35",
> "parent_column"=>"children", "commit"=>"Create", "nested"=>"true",
> "action"=>"create",
> "authenticity_token"=>"n854NxNJno4qC/gIzc1f9aHdeSSCjRMPGyyqCN8g2n8=",
> "parent_model"=>"Marker", "controller"=>"markers",
> "record"=>{"name"=>"asdasd"}}
>
> Given the parent-marker doesn't show up in this request, how could I
> check for the level of the about-to-be-created node in the ANS-tree?
Here you will have to override the security method in the controller, because
you need to read params and session. You can get the parent id in the
constraints:
active_scaffold_constraints[:parent]
>
> It also seems that authorized_for_create? is executed twice in response
> to a MarkersController#new request. Why is that?
Probably, one call for before filter checking permission for new action, and
another call to check permission to show the field.
>
> And lastly, whats the difference between a create_authorized? in the
> controller and a authorized_for_create? in the model? Does one need both
> because they're called in different times/contexts and have access to
> different data to make the decision?
controller method uses model method and it has access to request data. Usually
is better to put it in model, becuase is the right place, but when you need to
check data from request you have to use controller method.
--
Sergio Cambra .:: entreCables S.L. ::.
Mariana Pineda 23, 50.018 Zaragoza
T) 902 021 404 F) 976 52 98 07 E) [email protected]
--
You received this message because you are subscribed to the Google Groups
"ActiveScaffold : Ruby on Rails plugin" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/activescaffold?hl=en.
