Forum: Ruby on Rails Authorization with RESTful_ACL (index)

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Jm F. (Guest)
on 2009-01-22 22:13
(Received via mailing list)
I'm using the latest RESTful_ACL plugin -
- and so far it has fulfilled my app needs...
I control the access to the several models depending on the user's
role and the REST action.
Although, I have a question:

For example, imagine that I have an User, each User can have many
Numbers, and each Number can have many Profiles.
A User can only access his Numbers and hence only the Profiles
associated with each of those Numbers he owns.

Imagine that I have an User 1, which owns the Number 1, which has a
Profile 1.
And there's another User 2, which owns the Number 2, which has a
Profile 2.

I can protect the access to a particular Number and Profile using
self.is_readable_by(user. object). User 1 is successfully blocked when
trying to access /numbers/2 and /numbers/2/profiles/2
But I'm having problems finding a way to _not_ allow a User to access
the index of Profiles for a Number that he doesn't own.

How could I protect the User 1 from accessing the index of Profiles
belonging to User 2? /numbers/2/profiles
Matt D. (Guest)
on 2009-01-23 15:18
(Received via mailing list)
Thanks for using RESTful_ACL!

What you're trying to do is simple with v2.0+:

class Profile < ActiveRecord::Base
  logical_parent :number

  belongs_to :number

  # This method checks permissions for the :index action
  def self.is_indexable_by(user, parent = nil)
    user.number == parent

Jm F. (Guest)
on 2009-01-23 18:09
(Received via mailing list)
Many thanks for the reply, issue solved!!!
Keep up with the good work :)
Matt D. (Guest)
on 2009-01-23 20:46
Jm Freitas wrote:
> Many thanks for the reply, issue solved!!!
> Keep up with the good work :)

1. Awesome.
2. Thanks ;)
This topic is locked and can not be replied to.