How I have things defined is like this
has_permission_on :comments, :to => [:read] do
if_permitted_to :read, :commentable
end
has_permission_on :comments, :to => [:create,:update, :delete], :join_by => :and do
if_permitted_to :read, :commentable
if_attribute :author => is { user }
end
where that blows up is if you try doing something like this.
@issue.comments.with_permissions_to :read
Or even
Comment.with_permissions_to :read
the model scope doesn't understand polymorphic associations at all correctly... theoretically you could do something like this
has_permission_on :comments, :to => :read, :join_by => :and do
if_attribute :commenable_type => is { 'Issue' }
if_permitted_to :read, :commentable, :context => :issues
end
however it's not working for me. which for comments I usually don't need to use it, as it's always a use can read anything on the commentable, and I only display comments when viewing the commentable. but for cases where I do, I end up manually overrideing the with_permissions_to on that model..
e.g. something like this.. Now, you need to make sure all of your other filters are BEFORE with_permissions_to in this case.. (it has to be LAST as it returns an array not an AR::Relation)
# Override declarative_authorizations version due to lack of polymorphic support
#
# todo see if it's possible to incorporate this IN declarative_authorization or at least generalize
#
# Iterates through event objects from the database and checks if the current user CAN use the specified permission
#
def self.with_permissions_to(permission, *args)
options = args.extract_options!.dup
self.all(options).select do |e|
e.permitted_to? permission
end
end