On Jan 22, 2010, at 5:44 PM, John M. wrote:
particular answer (and if a login has not been required, current_user
if resource.respond_to? :user_read_authorized?
resource (e.g. record 1 of Users table) is readable (true) unless the
Is this what you were saying Rob?
Yes, that’s a good restatement of what I said/meant.
Also, would the next step to prevent the user from accessing, let’s
the edit action of User page be to define :user_read_authorized?
So basically assign user_read_authorized role priveleges so it can
it against the priveleges of current_user (the currently logged in
Any responses would be greatly appreciated. I been on this all day.
Well, you could, but that’s probably better as something you do in the
controller (perhaps by defining a local version of authorized? if
you’re using a restful_authentication work-alike.
If you’re not building a plugin for widespread use, you could just do
the test “directly”:
return false unless other.is_a?(User)
self.role > other.role
Then in your controller’s edit action
if @other = User.find_by_id(params[:user_to_edit_id])
# do regular stuff (render, etc)
flash[:error] = “you can’t read that user”
flash[:error] = “can’t find that user”
Season to taste.
Rob B. http://agileconsultingllc.com