Sergio,
that was very helpful.
On 05/17/2010 09:55 AM, Sergio Cambra .:: entreCables S.L. ::. wrote:
authorized_for_create is both for create action and action links with create
crud type, so authorized_for_create must be used to disallow creating a
record, becuase it will disallow access to new and create actions, and it must
be a class method (because there is no record to check permissions).
authorized_for_#{action_name}? was added for custom actions.
I think I understand. I *could* override authorized_for_new?, but that
wouldn't help me in this case, because authorized_for_create? does all I
want.
Here you will have to override the security method in the controller, because
you need to read params and session. You can get the parent id in the
constraints:
active_scaffold_constraints[:parent]
Ah, I never heard of this before. Why is the parent-id in this hash and
not part of the request/params-hash?
And lastly, whats the difference between a create_authorized? in the
controller and a authorized_for_create? in the model? Does one need both
because they're called in different times/contexts and have access to
different data to make the decision?
controller method uses model method and it has access to request data. Usually
is better to put it in model, becuase is the right place, but when you need to
check data from request you have to use controller method.
I made it to this, which seems to work:
# class-method in the model:
def self.authorized_for_create?
!current_user.nil?
end
# in the controller:
def create_authorized?
if active_scaffold_constraints[:parent].nil?
Marker.authorized_for_create?
else
Marker.find_by_id(active_scaffold_constraints[:parent]).root? and
Marker.authorized_for_create?
end
end
- authorized_for_create? always has to be a class method, while its
other crud-siblings don't have to be, right?
- When overriding the controllers' create_authorized?, do I also have to
explicitly check the model's security method, like I do above? Or is
that done at some other time anyway?
thank you, Sergio!
ben
--
You received this message because you are subscribed to the Google Groups
"ActiveScaffold : Ruby on Rails plugin" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/activescaffold?hl=en.
