Authorization build in model?

remcoh · August 31, 2006, 3:07pm

Hello, i Found a lot of good authorization plugins which can protect
controller actions. I need those of course, but i also need something
else:

I have a large database with patients and based on the authenticated
user and the groups he or she belongs to, the user only may see his own
patients.
In my php app, i did this with a query like

select patient.name from patients,groups,users where
patient.group_id=group.group_id and group.user_id=user.user_id and
user_id $authenticated user.

Are there better (and more readable ways) in rails to do this?
is there a plugin which supports this kind of authorization

looking forward for your answers!

regards,

Remco

remcoh · September 1, 2006, 1:57am

Read up on ActiveRecord with_scope - you might want to do something like
this:

Patient.with_scope(
:find=>{:conditions=>[’'groups.user_id=?",User.current_user],
:include=>[:groups]} ) do
Patient.find(:all, :conditions=>, …)
end

This is a really nicely structured way of separating the authorisation
concern from the actual query.

Note that you could also include the user table:
:include=>{:groups=>:user} and then use users.user_id in the
condition.

Cheers,
Max

remcoh · September 1, 2006, 8:32am

This is exactly what i was looking for!
thanks a lot!

Max M. wrote:

Read up on ActiveRecord with_scope - you might want to do something like
this:

Patient.with_scope(
:find=>{:conditions=>[’'groups.user_id=?",User.current_user],
:include=>[:groups]} ) do
Patient.find(:all, :conditions=>, …)
end

This is a really nicely structured way of separating the authorisation
concern from the actual query.

Note that you could also include the user table:
:include=>{:groups=>:user} and then use users.user_id in the
condition.

Cheers,
Max