Am I missing something with has_role

Skip to first unread message


Mar 30, 2010, 9:53:54 AM3/30/10
to acl9-discuss

I want to associate a role with a person and an object

I therefore add a before_filter and implement the before_filter

def load_for_view
@customer = Customer.find_by_id(params[:id])

All ok so far.

If I have access to the customer id (via the url for example) and then
modify this value I expect ACL9 to restrict my access to this object
(ie might belong to another user). If I put in another customers
number that does not exist, the find will return a nil. This then gets
passed to the has_role method but follows the route that performs the
check on the role only. What I want is for the behaviour to be the
same as if I was making a request for access to a customer that
belongs to someone else.

What I can do is do the check in the method ie view but it would be
good if I can trap this in the has_role

Any ideas


Jason King

Mar 30, 2010, 1:13:40 PM3/30/10
You want the (undocumented) :protect_global_roles option (you want to set it to true).  See this commit for the docs:

To unsubscribe from this group, send email to or reply to this email with the words "REMOVE ME" as the subject.

rubish gupta

Mar 31, 2010, 3:41:24 PM3/31/10
you can also do it by overriding the has role method in your user model

def has_role role, obj=nil
return false if obj.is_a(Customer) and obj.blank?
super role, obj

Reply all
Reply to author
0 new messages