-
Notifications
You must be signed in to change notification settings - Fork 3
How to use acts_as_permissible in your controllers
NoamB edited this page Sep 12, 2010
·
10 revisions
The following is a proposition of how to use this plugin in your controllers.
First, in ApplicationController, we’ll define the authorized method:
class ApplicationController < ActionController::Base ... protected def authorize(permissions = []) ( current_user && current_user.has_permission?(*permissions) ) || access_denied end end
As you can see in the above example I rely on having a current_user method, which returns an instance of the logged in user, and an access_denied method, which handles the case when the user is not authorized to access a certain page or action. The above implementation will always return true because the permissions array is empty.
Let’s say you want to protect an entire controller with the same permissions.
You can do it with a before filter like this:
ProtectedController < ApplicationController before_filter :authorize def index ... end ...
You will need to override the authorize method in your controller and change the list of default parameters, like this:
... protected def authorize(permissions = ["view_secret_documents"]) super(permissions) end end # of ProtectedController
If instead you need to protect your controller on a per-action basis, you can do this:
AnotherController < ApplicationController def index authorize(permissions = ["view_secret_documents_list"]) # will redirect if not authorized ... end def show authorize(permissions = ["read_secret_document"]) # will redirect if not authorized ... end end