@@ -11,7 +11,10 @@ the accessed objects to determine whether certain actions should be allowed. Example ======= -Models need to define the access restrictions which will apply: +Models need to define the access restrictions which will apply. If the concept +of "ownership" is to be used, it is necessary to define which attribute +refers to the object's owner. The owner should fill the role of accessor +in the application. class User < ActiveRecord::Base # user has an is_admin attribute @@ -22,11 +25,13 @@ class User < ActiveRecord::Base # allow users to save their own profile authenticates_saves :with => :allow_owner - # this is a bit ugly for now, but only in this one specific case - include AuthenticatesAccess::Ownership - def owner_id - id - end + # allow admins to save the profile as well + authenticates_saves :with_accessor_method => :is_admin + + # note that ownership doesn't confer all privileges! + # has_owner :self means that the accessor's ID will be compared + # with this object's own ID for the allow_owner test. + has_owner :self # also, allow admins to save any user profile authenticates_saves :with_accessor_method => :is_admin @@ -36,10 +41,19 @@ class Comment < ActiveRecord::Base belongs_to :user # allow users to edit their own comments (but not others) + + # has_owner :user means that user.id will be compared to accessor.id + # for the allow_owner test to pass. has_owner :user + + # register the ownership test for any saves authenticates_saves :with => :allow_owner + # this will also allow admins to edit any comments authenticates_saves :with_accessor_method => :is_admin + + # this makes the creating user the owner of the comment + autosets_owner_on_create end The application controller should set an accessor to be used: README @@ -62,13 +62,49 @@ module AuthenticatesAccess # has_owner :user # authenticates_saves :with => :allow_owner # - def has_owner(attr) - define_method(:owner_id) do - read_attribute(attr.id) + # or: + # + # has_owner + # def owner_id + # id + # end + # + def has_owner(attr=nil) + unless attr.nil + if attr == :self + # special case the self attribute but don't allow ownership change + define_method(:owner_id) do + id + end + else + define_method(:owner_id) do + read_attribute(attr.id) + end + define_method("owner_id=") do |new_value| + write_attribute(attr.id,new_value) + end + end end include Ownership end + # If declared, the accessor used to create this object automatically + # becomes its owner. + # + # Examples: + # + # class Comment < ActiveRecord::Base + # belongs_to :member + # has_owner :member + # autosets_owner_on_create + # authenticates_saves :with => :allow_owner + # end + # + def autosets_owner_on_create + has_owner # this will do nothing if the user has already set up has_owner :something + before_save :autoset_owner + end + # Used to specify that a given attribute should only be written to if the # accessor passes a test. The test may be a method of the accessor or # of the object itself, which should return a boolean value.. If the test @@ -117,6 +153,21 @@ module AuthenticatesAccess self.class.accessor end + def bypass_auth + @bypass_auth = 1 + yield + @bypass_auth = 0 + end + + # Auto-set the owner id to the accessor id before save if the object is new + def autoset_owner + if new_record? + bypass_auth do + self.owner_id = accessor.id + end + end + end + # Run a method on the accessor if it's available, otherwise return false. def run_accessor_method(method) if accessor.respond_to?(method) @@ -180,7 +231,7 @@ module AuthenticatesAccess def write_attribute(name, value) # Simply check if the accessor is allowed to write the field # (if so, go to superclass and do it) - if allowed_to_write(name) + if allowed_to_write(name) || @bypass_auth super(name, value) end end lib/authenticates_access.rb c6bc9a2fef28f0654d2de43a6e4dcc017650f04d Andrew Armenia andrew@asquaredlabs.com http://github.com/asquared/authenticates_access/commit/99f680e5e5f85bc839c8b9b08ed2aa2e9dac774f 99f680e5e5f85bc839c8b9b08ed2aa2e9dac774f 2009-06-17T13:20:13-07:00 2009-06-17T13:20:13-07:00 Added autosets_owner_on_create, bypass_auth { ... }, has_owner :self, and other magical things... 5c6b87d08b172831e6e30e4bb6ed6263022ec7c0 Andrew Armenia andrew@asquaredlabs.com