Acts_as_authenticated and model related

railsrocks · February 6, 2007, 5:30pm

I’m using the acts_as_authenticated plugin with a little app I wrote.
Everything works fine. I’m able to “signup” and use all the little
features. What I would like to do is be able to have each individual
user have access only to his or her own content. I just have two models;
User and Item. The User item is of course generated by the AAA plugin.

class Item < ActiveRecord::Base
end

class User < ActiveRecord::Base

Virtual attribute for the unencrypted password

attr_accessor :password

#lots of omitted code
end

In my controller:

class ItemsController < ApplicationController

def new
@item = Item.new
end

#other ommited code
end

How would I change my setup so that a user can only
create/update/delete/view only his or her own items and not someone
else’s? Any advice or resources pointed to is greatly appreciated.

railsrocks · February 6, 2007, 5:49pm

On 2/6/07, I’m not Telling you [email protected] wrote:

class ItemsController < ApplicationController
else’s? Any advice or resources pointed to is greatly appreciated.
Check the authorization in a before filter in your controllers. AAA
provides #authorized? as a hook for this.

before_filter :login_required, :only => [:new, :create, :update,
:edit, :destroy]

def authorized?
@item.editable_by? current_user
end

class Item < AR::Base
def editable_by?(user)
user && user.id == user_id # sample, replace with your own logic
end
end

–
Rick O.
http://weblog.techno-weenie.net
http://mephistoblog.com

railsrocks · February 6, 2007, 6:57pm

Rick O. wrote:

On 2/6/07, I’m not Telling you [email protected] wrote:

class ItemsController < ApplicationController
else’s? Any advice or resources pointed to is greatly appreciated.
Check the authorization in a before filter in your controllers. AAA
provides #authorized? as a hook for this.

before_filter :login_required, :only => [:new, :create, :update,
:edit, :destroy]

def authorized?
@item.editable_by? current_user
end

class Item < AR::Base
def editable_by?(user)
user && user.id == user_id # sample, replace with your own logic
end
end

–
Rick O.
http://weblog.techno-weenie.net
http://mephistoblog.com

Hey Rick,

I really appreciate your response. I am getting a error when I try this
code however: “You have a nil object when you didn’t expect it!
The error occurred while evaluating nil.editable_by?”

I’m a little green around the gills with ruby. However I can see what
most of the code is doing. I can see that the editable_by? method in the
model takes the user as an argument and then passes the output to the
authorized? method in the controller. Is that correct? Any further help
is once again appreciated.