Hello,
I'm designing a system that needs the admin to be able to change permissions of roles. Roles and permissions are static but the permissions assigned to a role can vary.
I was planning to make a table like this:
name |
operation |
context |
context_attribute |
user_attribute |
compare_by |
Create projects |
create |
project |
|
|
|
Read all projects |
read |
project |
|
|
|
Update all projects |
update |
project |
|
|
|
Delete all projects |
delete |
project |
|
|
|
Update managed projects |
update |
project |
managers |
user |
contains |
Delete managed projects |
delete |
project |
managers |
user |
contains |
Update leaded projects |
update |
project |
leaders |
user |
contains |
Delete leaded projects |
delete |
project |
leaders |
user |
contains |
Create activity in any project |
create |
activity |
|
|
|
Read activities in any project |
read |
activity |
|
|
|
Update activities in any project |
update |
activity |
|
|
|
Delete activities in any project |
delete |
activity |
|
|
|
Create activity in managed projects |
create |
activity |
project |
user.managing_projects |
is_in |
Update acitivity in managed project |
update |
activity |
project |
user.managing_projects |
is_in |
Delete activity in managed projects |
delete |
activity |
project |
user.managing_projects |
is_in |
Create activity in leaded projects |
create |
activity |
project |
user.leading_projects |
is_in |
Update activity in leading projects |
update |
activity |
project |
user.leading_projects |
is_in |
Delete activities in leading projects |
delete |
activity |
project |
user.leading_projects |
is_in |
Update assigned activities |
update |
activity |
assigned |
user |
contains |
Delete assigned activities |
delete |
activity |
assigned |
user |
contains |
And then in the authorization rules file do this:
Role.find_each do | r |
role r.name.to_sym do
r.permissions.each do | p |
has_permission_on p.context.to_sym, to: p.operation.to_sym do
if p.context_attribute
if_attribute p.context_attribute => [ p.compare_by.to_sym , eval(p.user_attribute) ]
end
end
end
end
end
Is this possible?