HOWTO? security based on data values

Hi!
I recently started with RoR and this may be a newbie question.
I have a company table, employee table and transactions table.
1 company has many employees. Each employee performs many transactions.
Employees from different companies LOGIN to the system to record their
transactions. Employees can search on all transactions associated to
their companies (indirect relationship via employee), and edit only the
transactions entered by them.
(of course my actual application has several objects like transactions
which employees do, and I am trying to implement the same thing for
each).

So basically, I am trying to implement a ‘view’ of the data once an
employee logs in, which shows only those transactions, which correspond
to the employee’s companies.
The simple (and tedious way) is to modify all controllers options and
change all find_* methods to take an appropriate ID to restrict the
records it returns.
Given that there are several entities, this is a tedious approach.

Is there some other way to configure this ‘data based security’ ? A
simple way which causes the model to restrict the records it throws out
in all cases to an appropriate subset?
I looked at security frameworks like acts_as_authenticated (which
handles only authentication and hence not relevant), and acl_system2
(which is RBAC, and not neccessarily data based).

Looking forward to some help!
-Ashish

On Tuesday, August 01, 2006, at 10:16 PM, Ashish Bansal wrote:

each).
simple way which causes the model to restrict the records it throws out


Rails mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

I think a plugin was recently released called ‘acts_as_view’ that does
this.

_Kevin
www.sciwerks.com

Ashish Bansal wrote:

each).
simple way which causes the model to restrict the records it throws out
in all cases to an appropriate subset?
I looked at security frameworks like acts_as_authenticated (which
handles only authentication and hence not relevant), and acl_system2
(which is RBAC, and not neccessarily data based).

Looking forward to some help!
-Ashish

Wouldn’t accessing those records through employee associations do the
trick?

Example:

@employee.transactions.find :all

instead of

Transaction.find :all


Jack C.
[email protected]

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs