specifying context on has_permissions_on throws an error in console

28 views

Skip to first unread message

robacarp

unread,

Aug 24, 2012, 12:19:45 AM8/24/12

to declarative_...@googlegroups.com

I'm not entirely sure if I'm doing this correct or not, but I can't sort this out in the least. I've got a polymorphic model called Image, which provides pictures to a few other models. The images are streamed from the image controller directly to the browser so they can be access-controlled. I'm trying to write a rule which will allow only users with access to the polymorphic type to fetch the picture.

Stripped down models:

class Image < ActiveRecord::Base

include Magick

using_access_control

#polymorphic association

belongs_to :imageable, :polymorphic => true

self.table_name = :product_image

end

class Pcb < ActiveRecord::Base

using_access_control

has_many :layers, :class_name => "PcbLayer", :foreign_key => :pcb_design_id

has_one :image, :as => 'imageable'

end

The relevant authorization rules:

authorization do

role :guest do

has_permission_on :pcbs, :to => [:show,:index] do

if_attribute public: true

end

has_permission_on :images, :to => [:pcb_stream] do #pcb_stream is the method which streams the image for a pcb id down to the client

if_permitted_to :show, :imageable, :context => :pcbs

end

role :user do

includes :guest

has_permission_on :pcbs, :to => [:new, :create]

has_permission_on :pcbs, :to => [:show] do

if_attribute :user => is { user }

if_attribute :public => true

end

has_permission_on :pcbs, :to => [:edit, :update, :verify_layers, :save_layers] do

if_attribute :user => is { user }

end

In the browser, the image rule just doesn't deny anyone. Users, pcb-owners, and guests, all have rights to see the image even when they correctly can't pull up the pcb#show page for the same image. I've cloned the repo so I could grep through the code, but it is up to date with github master.

In the console, when I try and test the rule, I've been doing this:

> Pcb.with_permissions_to(:show).find(90059) #a public=false pcb

ActiveRecord::RecordNotFound #as expected

> Image.with_permissions_to(:pcb_stream).find(173709) #the image associated with pcb 90059, which is public=false and should get denied

NoMethodError: undefined method `length' for nil:NilClass

from /Users/robacarp/Sites/declarative_authorization/lib/declarative_authorization/obligation_scope.rb:120:in `follow_comparison'

I'm not really sure that I'm not trying to do something that shouldn't be done in this way, but I'm at a dead end as far as exploring. Any help is much appreciated.