I know there must be a simple solution for this but I haven't found it. What I have is a directory of people. I want to authorize each person to edit her own record but no others. Thus authorization depends on a comparison with user and database record.
I have tried this in the controller:
def update_authorized?(record=nil)
is_member = (record.is_a? Member)
same_id = is_member ?
current_user.id ==
record.id : false
ok = is_member && same_id
return ok
end
(the logic is broken up just so I can grasp it better). This
almost works but leaves two problems.
First, in the authorized record the associated record fields in the list view are blocked from inline editing, though all the other fields are editable. For example, the user can edit his own name but not his nationality, because the latter is an associated field with a drop-down selector.
Second, the
Edit action link at the end of the authorized is disabled, along with those of all the unauthorized records. That seems to be because the authorization method only returns true when a record is present; if I change the last statement to return
return ok || !is_member then the
Edit links for
all the records become active again.
The documentation refers to using authorization methods in the model in order to control the action links, but the model does not have session available, so I'm not sure how to solve the problem. Thanks for any help!