Im a almost three weeks old in RoR and ive a simple problem which i
could find an answer for!
Ill tell first a bit about the project im trying to do:
Im making a tool for a Team Leader where he can put tasks for his team
members, the Team Leader can see all tasks for his own team, but a team
member can see ONLY his own task, my problem is:
Im using the same view when showing the task it self and so a Team
Leader would have these links shown (edit, delete.etc) but a team member
cant delete his task, only can edit the status of it.
Is there a way which i can tell from my controller which links to apear
or not depending on the User rights? ive really tried to search this out
a lot but came out empty…
Without getting into too many details, I think the post on
Authorization in Rails at http://www.vaporbase.com/postings/Authorization_in_Rails
will help you understand how to address most of your requirements. The
skinny of the answer is that, if you’re just dealing with team leaders
and team members you can probably get away with the “Super Simple”
solution in the post. If your needs expand, you might want to go with
Chad F.'s recipe or with one of the well-known plugins.
This said, it looks like you have one additional requirement beyond
normal Role Based Access Control (RBAC) - ownership. That is, a user
must be checked to see not only if they have the role “team member”
but also to make sure that they’re a member of the appropriate team
for the tasks they are trying to access. In this case, using a
recursive acts_as_tree relationship should help you to accomodate the
complexity of an organizational models where users may place multiple
roles across different teams. If this doesn’t make sense to you or if
you haven’t dealt with acts_as_tree, please post back.