I recently started with RoR and this may be a newbie question.
I have a company table, employee table and transactions table.
1 company has many employees. Each employee performs many transactions.
Employees from different companies LOGIN to the system to record their
transactions. Employees can search on all transactions associated to
their companies (indirect relationship via employee), and edit only the
transactions entered by them.
(of course my actual application has several objects like transactions
which employees do, and I am trying to implement the same thing for
So basically, I am trying to implement a ‘view’ of the data once an
employee logs in, which shows only those transactions, which correspond
to the employee’s companies.
The simple (and tedious way) is to modify all controllers options and
change all find_* methods to take an appropriate ID to restrict the
records it returns.
Given that there are several entities, this is a tedious approach.
Is there some other way to configure this ‘data based security’ ? A
simple way which causes the model to restrict the records it throws out
in all cases to an appropriate subset?
I looked at security frameworks like acts_as_authenticated (which
handles only authentication and hence not relevant), and acl_system2
(which is RBAC, and not neccessarily data based).
Looking forward to some help!