Mongoid embeds_many with CanCan 2 #604

Closed
pbougie opened this Issue Apr 16, 2012 · 4 comments

2 participants

@pbougie

I am trying to implement permissions on a nested controller that contains the Mongoid embeds_many model. I have tried implementing it in various ways but have so far been unsuccessful.

My models are as follows (obviously shortened):

class Employee
  include Mongoid::Document
  embeds_many :timeoffs, class_name: "EmployeeTimeoff"
  field :name, type: String
  field :email, type: String
end

class EmployeeTimeoff
  include Mongoid::Document
  embedded_in :employee

  field :status, type: Symbol
  field :date, type: Date
  field :reason, type: String
end

The controller:

class Employees::TimeoffsController < ApplicationController

  def index
  end

  def new
  end

  def create
  end

  def approve
  end

  def deny
  end

  def destroy
  end
end

And the routes:

resources :employees do
  resources :timeoffs, only: [:index, :new, :create, :destroy], :controller => "employees/timeoffs" do
    put "approve" => "employees/timeoffs#approve", :on => :member
    put "deny" => "employees/timeoffs#deny", :on => :member
  end
end

Can this be implemented as a regular nested resource? Can I use load_and_authorize_resource in this instance? Any help would be greatly appreciated.

@pbougie

Also how would the abilities be declared? I need some specific abilities for each action. Thanks.

@derekprior
Collaborator

Have you seen this similar issue:
#319

It seems load_and_authorize_resource cannot be used with embeded documents. Please review the reference issue and let me know if you still have questions.

@derekprior
Collaborator

@pbougie , I'm going to close this issue for now for lack of information. If you are still having this problem and the above link does not assist, please comment and we can re-open.

@derekprior derekprior closed this May 21, 2012
@pbougie

@derekprior I had seen issue # 319 but it wasn't that easy. Authorization is by employee but I needed somewhat different privileges on the time offs than the employees. I ended up creating custom action names so the Employee and EmployeeTimeoff models wouldn't clash.

def load_and_authorize
  @employee = current_account.employees.find(params[:employee_id])
  @timeoff = @employee.timeoffs.find(params[:id])
  authorize! "timeoff_#{action_name}".to_sym, @employee
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment