Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Howto limit load_resource for users with multiple roles? #617

Closed
tonymarschall opened this Issue · 5 comments

2 participants

@tonymarschall

In my application all users can read there own tasks. A second controller is only available for moderators and moderators can see all tasks.

# accessible for every user
# every user should see only own tasks, 
# but at the moment all moderators see all tasks
class TasksController < ActionController::Base
  load_and_authorize_resource
end

# only accessible for moderators, all tasks
class TasksModeratorController < ActionController::Base
  load_and_authorize_resource :task, :parent => false
end


# Ability
# Moderators can read all tasks
if user.moderator?
  can :read, Task
end
# All users can read there own tasks
can :read, Task, :user_id => user.id

How can i limit the tasks in TasksController to show only own tasks also to moderators but all tasks in TasksModeratorController? Do i have to switch to manual fetch and authorize or is there a more common way to handle this?

@andhapp
Collaborator

@tonymarschall: Hello
Not sure what you mean by this. Can you please explain a little? Thanks.

"How can i limit the tasks in TasksController to show only own tasks also to moderators but all tasks in TasksModeratorController?"

@tonymarschall

I will try: on TaskController#index view i only want to display current_user tasks. If the user is a moderator he/she will see all tasks since the permission for moderators is can :read Task. I have to give this permission moderators since on TaskModeratorController#index moderators should be able to view all tasks.

Or shorter:

TaskController          =>  "Show _only_ my tasks"
TaskModeratorController =>  "Show _all_ tasks if i am a moderator"
@andhapp
Collaborator

Okay. I will just write this here to ensure I understand the issue completely before suggesting a solution.

TaskController:

As a user, I should only be able to see my tasks.
As a moderator, I should only be able to see my tasks.
As a moderator, I should not be able to see anyone else's tasks.

TaskModeratorController:

As a moderator, I should be able to see everyone's tasks.
As a user, I should not be able to access it.

Please confirm. Thanks.

@tonymarschall

Yes, that exactly describes my problem.

@andhapp andhapp was assigned
@andhapp
Collaborator

Okay. You'll have to switch to manual load and authorize. When you define abilities you define them for your application and for controller based authorisation you'll have to do it yourself.

However, your set up seems incorrect to me. In your abilities, you are explicitly giving moderators access to read everything but then you don't want them to see all the tasks when it comes to the main tasks page.

I am going to close this issue for now since this is not directly related to the library. If you have any more issues, please feel free to comment.

@andhapp andhapp closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.