Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Access model and Restrict controller actions #557

Closed
jmaniv opened this Issue · 1 comment

2 participants

@jmaniv

I have Tool and ToolType resource.I want to set following permissions as per role
1) Admin can manage all
2) User can manage
a) Tool resources(both Toolscontroller's action and Tool model)
b) Should only be able to read the ToolType model which user_id is equal to current_user.id

Menu links in layout/application.html.erb
<div id="menu">
<%=link_to "Tools", tools_url if can? :index, Tool%>
<%=link_to "ToolTypes", tool_types_url if can? :index, ToolType%>
</div>

in my ability.rb:

if user.has_role? :sysadmin
      can :manage, :all
else
      can :manage, Tool, :user_id => user.id
      can :read, ToolType, :user_id => user.id
      cannot :index, ToolType
end

My problem is: its enable tool types link in my menu even I was login as normal user.

How to access Tool resources( Tool model and ToolController's action)
and ToolType model only( restrict ToolTypeController's action).
Because while creating new Tools I need a list of ToolType and I want to restrict normal users from viewing all ToolType.

@derekprior
Collaborator

The :read action is an alias for :show and :index. You have declared that non :sysadmin users should be able to read and show ToolTypes that belong to them. That means they can also index the ToolTypes that belong to them - which is more specific than the later cannot call to disallow :index of all ToolTypes. I think you want to change your else block to:

can :manage, Tool, :user_id => user.id
can :show, ToolType, :user_id => user.id

If you still need assistance, please comment and we can reopen.

@derekprior derekprior closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.