I’m trying to add / extend the default UserEngine schema
(Guest/User/Admin) to support author only Update/Delete functions. At
the moment, I allow ‘Guest’ to read/view all records, and User
additionaly has access to create/edit/destroy, however this means that
any registered user is able to modify any record.
My first thought was to add another filter in the chain after the
UserEngine’s authorize_action. So, I added:
prepend_after_filter :author_permission, :except => [:show, … ]
In my author_permission i simply check a conditional:
session[:user].id != @object.user_id
And based on that output error messages etc. Now, this seems to work
when I try to call ‘edit’ on an object, I get redirected and get my
notification which says that I’m not an author, hence I can’t edit.
However, destroy, which does not render anything seems to pass right
through. So it seems like the action is performed right after
:authorize_action and :author_permissions is not checked. Is there
something I’m missing in the the filter chaining rules?
– Another thought that crossed my mind would be to add an ‘Author’ role
in UserEngine, but then I’m not clear how to check the permissions.
Would I have to create a ‘permission’ object for each ‘object’ that i
try to protect and then assign them to an author role?
Any suggestions/pointers?
You can see my :author_permissions @
http://rafb.net/paste/results/cv5XMC30.html
Cheers,
Ilya