Conditional attribute_check based on user role
jearlu
In my application, I have a super admin role and a client admin role.
The super admin role should have full access to all user records,
whereas the client_admin should only be allowed to modify users
belonging to them.
In authorization_rules.rb super_admin and client_admin users are
configured as follows:
role :client_admin do
has_permission_on :users do
to [:manage]
# user refers to the current_user when evaluating
if_attribute :client_id => is {user.client_id}
end
….
end
role :super_admin do
has_permission_on :users, :to => :manage
...
end
At the top of users_controller.rb, I have included the method,
filter_access_to :update, :destroy, :attribute_check => true (note: I
am purposely only including the update and destroy actions to keep the
discussion simple). This works great for client_admins but fails for
super admins, because it is running the attribute_check even though I
haven't specified the if_attribute in the super_admin config.
My question… Is there any way to conditionally run the attribute check
based on a user's role? For example, I would like to be able to do
something like the following in users_controller.rb:
filter_access_to :update, :destroy, :attribute_check =>
current_user.role.name == 'super_admin' ? false : true
The variable current_user isn't defined when this gets executed, so it
obviously fails. Is there a way though, to accomplish what is
expressed above?
Thanks,
jearlu
Steffen Bartsch
> At the top of users_controller.rb, I have included the method,
> filter_access_to :update, :destroy, :attribute_check => true (note: I
> am purposely only including the update and destroy actions to keep the
> discussion simple). This works great for client_admins but fails for
> super admins, because it is running the attribute_check even though I
> haven't specified the if_attribute in the super_admin config.
Actually, it is quite a common case to run attribute checks even though the
conditions are empty -- so there shouldn't be any problems with it, they just
succeed. Are you sure this is the problem? Have you checked the output in
the log on why access is denied?
Steffen
jearlu
Oh, now I see. I actually had filter_access_to include the create
action (filter_access_to :create, :update, :destroy, :attribute_check
=> true). I ran into trouble when trying to create a new user when
logged in as a super_admin and was getting the following error:
filter_access_to tried to find User from params[:id] (nil), because
attribute_check is enabled and @user isn't set, but failed:
ActiveRecord::RecordNotFound: Couldn't find User without an ID
I was expecting it to skip over the attribute check, since the
authorization rules for the role, super_admin, didn't have a call to
the method if_attribute. I didn't realize that running an attribute
check with empty conditions essentially skips attribute checking. I
have since added the following before filter:
before_filter :new_user, :only => :create
where new_user is defined as:
protected
def new_user
@user = User.new(params[:user])
end
and everything is now working great.
Thanks for the quick response and all of your hard work on such a
great plugin.
- jearlu