create privilege on has_many :through
6 views
Skip to first unread message
dgm
Nov 21, 2009, 5:42:42 PM11/21/09
to declarative_authorization
I'm having problems creating a nested resource... While it might be a
problem in my code to add multiple nested resources, I'm not so
sure. The demo app doesn't quite cover the situation.
The problem is, a person may create a new phone number, as long as the
number is created to belong to the person. The relationship doesn't
exist until *after* it has been created though.
This should not really be a problem since my create function will
always go through the parent object to create the phone number, so
should I just tell it not to check on that method? I think the error
is coming through the model attribute check, so I need to turn off the
attribute check for that controller action, right? How?
Similarly, when the model validates permissions on a collection,
shouldn't it run against all of the objects? And shouldn't an empty
set validate ok? "permission on nothing" !?
problem in my code to add multiple nested resources, I'm not so
sure. The demo app doesn't quite cover the situation.
The problem is, a person may create a new phone number, as long as the
number is created to belong to the person. The relationship doesn't
exist until *after* it has been created though.
This should not really be a problem since my create function will
always go through the parent object to create the phone number, so
should I just tell it not to check on that method? I think the error
is coming through the model attribute check, so I need to turn off the
attribute check for that controller action, right? How?
Similarly, when the model validates permissions on a collection,
shouldn't it run against all of the objects? And shouldn't an empty
set validate ok? "permission on nothing" !?
Steffen Bartsch
Nov 22, 2009, 7:27:19 AM11/22/09
to declarative_...@googlegroups.com
Am Samstag, 21. November 2009 schrieb dgm:
> The problem is, a person may create a new phone number, as long as the
> number is created to belong to the person. The relationship doesn't
> exist until after it has been created though.
> The problem is, a person may create a new phone number, as long as the
> number is created to belong to the person. The relationship doesn't
You could try to create a failing test as part of the decl_auth tests and
debug the problem. decl_auth just checks the supplied object.
>This should not really be a problem since my create function will
>always go through the parent object to create the phone number, so
>should I just tell it not to check on that method? I think the error
>is coming through the model attribute check, so I need to turn off the
>attribute check for that controller action, right? How?
filter_resource_access should help.
http://www.tzi.org/~sbartsch/declarative_authorization/master/classes/Authorization/AuthorizationInController/ClassMethods.html#M000211
Steffen
dgm
Nov 23, 2009, 10:23:55 AM11/23/09
to declarative_authorization
> Please, have a look at the documentation. The :no_attribute_check option for
> filter_resource_access should help.
controller action, it is in the model check. I can trigger it in the
rails console apart from the controller.
I've made some addtions to the demo app at git://github.com/dgm/decl_auth_demo_app.git
I've added a Address model that is joined through ConferenceAddress.
It's a bit contrived, but it illustrates the problem.
Using the rules provided, an admin can create an address by:
address = Conference.find(conference_id).addresses.create
(new does not create the join table reference)
(build lets me make the object, but then I cannot save it for the same
reasons)
This sets up a ConferenceAddress object and an Address object in the
Conference.addresses collection. But when you try to do the same
thing as a user role, it fails. I suspect the problem is that create
() makes the Address object first, then the ConferenceAddress object,
since it needs an identifier to point to the right address object.
However, declarative_authorization does the permission check
immediately upon creation of the Address object, before the
ConferenceAddress object has ben initialized.
I'm not sure right now how to fix this - the permission check needs to
be delayed a bit.
As far as models go, couldn't the create action be checked on save?
It seems like it would be plausible that the permission couldn't be
checked until all the data conditions are in place....
dgm
Nov 23, 2009, 11:01:01 AM11/23/09
to declarative_authorization
On Nov 23, 9:23 am, dgm <morto...@gmail.com> wrote:
> I'm not sure right now how to fix this - the permission check needs to
> be delayed a bit.
>
> As far as models go, couldn't the create action be checked on save?
> It seems like it would be plausible that the permission couldn't be
> checked until all the data conditions are in place....
the way back to the after_save callback, but apparently the join model
still doesn't exist then.
I almost think rails doesn't have an appropriate callback hook...
Steffen Bartsch
Nov 23, 2009, 1:10:46 PM11/23/09
to declarative_...@googlegroups.com
Am Montag, 23. November 2009 schrieb dgm:
> address = Conference.find(conference_id).addresses.create
> (new does not create the join table reference)
> (build lets me make the object, but then I cannot save it for the same
> reasons)
Actually, no join table reference should be necessary for the check.
> address = Conference.find(conference_id).addresses.create
> (new does not create the join table reference)
> (build lets me make the object, but then I cannot save it for the same
> reasons)
ActiveRecord would need to set adress.conferences to allow the decl_auth
check. If that doesn't occur, it might be AR bug.
Does it work this way?
address = Address.new
address.conferences << conference
address,save!
Steffen
dgm
Nov 30, 2009, 11:58:40 AM11/30/09
to declarative_authorization
I think there are some side effects ... let me test some more.
dgm
Nov 30, 2009, 2:52:07 PM11/30/09
to declarative_authorization
new_controller_object_from_params and
new_controller_object_for_collection, along with the multiple nested
in capabilities.
Reply all
Reply to author
Forward
0 new messages