Forum: Ruby on Rails Adding 'author' functionality to UserEngine / RBAC roles

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ilya G. (Guest)
on 2006-06-07 23:00
I'm trying to add / extend the default UserEngine schema
(Guest/User/Admin) to support author only Update/Delete functions. At
the moment, I allow 'Guest' to read/view all records, and User
additionaly has access to create/edit/destroy, however this means that
any registered user is able to modify any record.

My first thought was to add another filter in the chain after the
UserEngine's authorize_action. So, I added:

prepend_after_filter :author_permission, :except => [:show, ... ]

In my author_permission i simply check a conditional:
  session[:user].id != @object.user_id

And based on that output error messages etc. Now, this seems to work
when I try to call 'edit' on an object, I get redirected and get my
notification which says that  I'm not an author, hence I can't edit.
However, destroy, which does not render anything seems to pass right
through. So it seems like the action is performed right after
:authorize_action and :author_permissions is not checked. Is there
something I'm missing in the the filter chaining rules?

-- Another thought that crossed my mind would be to add an 'Author' role
in UserEngine, but then I'm not clear how to check the permissions.
Would I have to create a 'permission' object for each 'object' that i
try to protect and then assign them to an author role?

Any suggestions/pointers?

You can see my :author_permissions @
http://rafb.net/paste/results/cv5XMC30.html

Cheers,
Ilya
This topic is locked and can not be replied to.