Permissions stored in the database
70 views
Skip to first unread message
Bishma Stornelli
Aug 14, 2012, 7:33:38 PM8/14/12
to declarative_...@googlegroups.com
Hello,
I'm designing a system that needs the admin to be able to change permissions of roles. Roles and permissions are static but the permissions assigned to a role can vary.
I was planning to make a table like this:
| name | operation | context | context_attribute | user_attribute | compare_by |
| Create projects | create | project | |||
| Read all projects | read | project | |||
| Update all projects | update | project | |||
| Delete all projects | delete | project | |||
| Update managed projects | update | project | managers | user | contains |
| Delete managed projects | delete | project | managers | user | contains |
| Update leaded projects | update | project | leaders | user | contains |
| Delete leaded projects | delete | project | leaders | user | contains |
| Create activity in any project | create | activity | |||
| Read activities in any project | read | activity | |||
| Update activities in any project | update | activity | |||
| Delete activities in any project | delete | activity | |||
| Create activity in managed projects | create | activity | project | user.managing_projects | is_in |
| Update acitivity in managed project | update | activity | project | user.managing_projects | is_in |
| Delete activity in managed projects | delete | activity | project | user.managing_projects | is_in |
| Create activity in leaded projects | create | activity | project | user.leading_projects | is_in |
| Update activity in leading projects | update | activity | project | user.leading_projects | is_in |
| Delete activities in leading projects | delete | activity | project | user.leading_projects | is_in |
| Update assigned activities | update | activity | assigned | user | contains |
| Delete assigned activities | delete | activity | assigned | user | contains |
And then in the authorization rules file do this:
Role.find_each do | r |
role r.name.to_sym do
r.permissions.each do | p |
has_permission_on p.context.to_sym, to: p.operation.to_sym do
if p.context_attribute
if_attribute p.context_attribute => [ p.compare_by.to_sym , eval(p.user_attribute) ]
end
end
end
end
end
Is this possible?
Reply all
Reply to author
Forward
0 new messages