On Jan 22, 2010, at 5:44 PM, John Merlino wrote:
Rob Biedenharn wrote:
On Jan 22, 2010, at 1:02 PM, John Merlino wrote:
Is there any kind of debugging feature I can run to see what gets
passed
into resource in this specific instance.
Also, user_read_authorized? is not defined anywhere else in
application.
Is that legal in rails? Can someone just
define :user_read_authorized?
and it mean something?
Thanks for any suggestions
As to the second part of your question, it is perfectly "legal" to
define your own method names and the behavior that you expect. In
this
case, it seems like a resource (probably a model) is presumed to be
readable (true) unless the resource has defined its
own :user_read_authorized? method that takes a user and supplies a
particular answer (and if a login has not been required, current_user
might be false).
Shame on you if your method names don't make sense, of course. ;-)
-Rob
Rob Biedenharn http://agileconsultingllc.com
[email protected]
def read_authorized?(resource)
if resource.respond_to? :user_read_authorized?
resource.user_read_authorized? current_user
else
true
end
end
So Ruby has a function called respond_to? that can be used to seeing
if
a particular class or object has a method with a certain name. So if
the
resource (e.g. record 1 of Users table) is readable (true) unless the
resource has defined its own :user_read_authorized? method. If it does
have a :user_read_authorized? method, then we take the user
(resource.user_read_authorized?(current_user)) and evaluates it
against
the method. So if the method requires user to be logged in and have a
role 6, then if current_user is logged in but has a role 5, then we
return false. Otherwise (else) we return true, which means the user
will
have access to the page.
Is this what you were saying Rob?
Yes, that's a good restatement of what I said/meant.
Also, would the next step to prevent the user from accessing, let's
say,
the edit action of User page be to define :user_read_authorized?
So basically assign user_read_authorized role priveleges so it can
test
it against the priveleges of current_user (the currently logged in
user).
Any responses would be greatly appreciated. I been on this all day.
Well, you could, but that's probably better as something you do in the
controller (perhaps by defining a local version of authorized? if
you're using a restful_authentication work-alike.
If you're not building a plugin for widespread use, you could just do
the test "directly":
class User
def can_read(other)
return false unless other.is_a?(User)
self.role > other.role
end
end
Then in your controller's edit action
def edit
if @other = User.find_by_id(params[:user_to_edit_id])
if current_user.can_read(@other)
# do regular stuff (render, etc)
else
flash[:error] = "you can't read that user"
redirect_to some_url
end
else
flash[:error] = "can't find that user"
redirect_to some_url
end
end
Season to taste. ;-)
-Rob
Rob Biedenharn http://agileconsultingllc.com
[email protected]
--
You received this message because you are subscribed to the Google Groups "Ruby on
Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
