In my application all users can read there own tasks. A second controller is only available for moderators and moderators can see all tasks.
# accessible for every user
# every user should see only own tasks,
# but at the moment all moderators see all tasks
class TasksController < ActionController::Base
# only accessible for moderators, all tasks
class TasksModeratorController < ActionController::Base
load_and_authorize_resource :task, :parent => false
# Moderators can read all tasks
can :read, Task
# All users can read there own tasks
can :read, Task, :user_id => user.id
How can i limit the tasks in TasksController to show only own tasks also to moderators but all tasks in TasksModeratorController? Do i have to switch to manual fetch and authorize or is there a more common way to handle this?
Not sure what you mean by this. Can you please explain a little? Thanks.
"How can i limit the tasks in TasksController to show only own tasks also to moderators but all tasks in TasksModeratorController?"
I will try: on TaskController#index view i only want to display current_user tasks. If the user is a moderator he/she will see all tasks since the permission for moderators is can :read Task. I have to give this permission moderators since on TaskModeratorController#index moderators should be able to view all tasks.
can :read Task
TaskController => "Show _only_ my tasks"
TaskModeratorController => "Show _all_ tasks if i am a moderator"
Okay. I will just write this here to ensure I understand the issue completely before suggesting a solution.
As a user, I should only be able to see my tasks.
As a moderator, I should only be able to see my tasks.
As a moderator, I should not be able to see anyone else's tasks.
As a moderator, I should be able to see everyone's tasks.
As a user, I should not be able to access it.
Please confirm. Thanks.
Yes, that exactly describes my problem.
Okay. You'll have to switch to manual load and authorize. When you define abilities you define them for your application and for controller based authorisation you'll have to do it yourself.
However, your set up seems incorrect to me. In your abilities, you are explicitly giving moderators access to read everything but then you don't want them to see all the tasks when it comes to the main tasks page.
I am going to close this issue for now since this is not directly related to the library. If you have any more issues, please feel free to comment.