I'm not entirely sure if I'm doing this correct or not, but I can't sort this out in the least. I've got a polymorphic model called Image, which provides pictures to a few other models. The images are streamed from the image controller directly to the browser so they can be access-controlled. I'm trying to write a rule which will allow only users with access to the polymorphic type to fetch the picture.
Stripped down models:
class Image < ActiveRecord::Base
include Magick
using_access_control
#polymorphic association
belongs_to :imageable, :polymorphic => true
self.table_name = :product_image
end
class Pcb < ActiveRecord::Base
using_access_control
has_many :layers, :class_name => "PcbLayer", :foreign_key => :pcb_design_id
has_one :image, :as => 'imageable'
end
The relevant authorization rules:
authorization do
role :guest do
has_permission_on :pcbs, :to => [:show,:index] do
if_attribute public: true
end
has_permission_on :images, :to => [:pcb_stream] do #pcb_stream is the method which streams the image for a pcb id down to the client
if_permitted_to :show, :imageable, :context => :pcbs
end
end
role :user do
includes :guest
has_permission_on :pcbs, :to => [:new, :create]
has_permission_on :pcbs, :to => [:show] do
if_attribute :user => is { user }
if_attribute :public => true
end
has_permission_on :pcbs, :to => [:edit, :update, :verify_layers, :save_layers] do
if_attribute :user => is { user }
end
end
end
In the browser, the image rule just doesn't deny anyone. Users, pcb-owners, and guests, all have rights to see the image even when they correctly can't pull up the pcb#show page for the same image. I've cloned the repo so I could grep through the code, but it is up to date with github master.
In the console, when I try and test the rule, I've been doing this:
> Pcb.with_permissions_to(:show).find(90059) #a public=false pcb
ActiveRecord::RecordNotFound #as expected
> Image.with_permissions_to(:pcb_stream).find(173709) #the image associated with pcb 90059, which is public=false and should get denied
NoMethodError: undefined method `length' for nil:NilClass
from /Users/robacarp/Sites/declarative_authorization/lib/declarative_authorization/obligation_scope.rb:120:in `follow_comparison'
I'm not really sure that I'm not trying to do something that shouldn't be done in this way, but I'm at a dead end as far as exploring. Any help is much appreciated.
robacarp