select fields based on role?

2 views
Skip to first unread message

Marli

unread,
Oct 2, 2009, 3:24:28 PM10/2/09
to declarative_authorization
Hi, I was wondering if there was a way to restrict which fields are
retrieved from the db based on a role.

So, if products has 2 attributes description and cost, role :guest
only retrieves the description column and id.

Can this only be accomplished by setting the display of the attribute
in the view?

such as:
<%= product.cost if permitted_to? :manage, :products %>

I would prefer to selectively add the fields to the authorization
file, but it didn't look like this was possible.

here is what I would like to do:

:guest has_permission_on :products, :to => {:read => :description}

Is this possible?

Steffen Bartsch

unread,
Oct 4, 2009, 12:22:05 PM10/4/09
to declarative_...@googlegroups.com
Am Freitag, 2. Oktober 2009 schrieb Marli:
> here is what I would like to do:
> :guest has_permission_on :products, :to => {:read => :description}
>
> Is this possible?

No, such a mechanism isn't implemented in decl_auth. The reason is that
decl_auth really only enforces access control only on row/object level, not on
attribute level. That said, you could use STI to separate attributes to allow
from those not allowed. Is that a valid option for you?

Steffen

Marli

unread,
Oct 5, 2009, 2:09:05 PM10/5/09
to declarative_authorization
I'm not sure exactly how I would implement that change. Your talking
about basically moving the attribute from the column to the row so
that permissions are activated that way, right? You don't know of any
authorization program that can auto modify the select statement? Do
you know if DA could be modified to function in this way?

Thanks,
Marli

Steffen Bartsch

unread,
Oct 6, 2009, 3:30:00 AM10/6/09
to declarative_...@googlegroups.com
Am Montag, 5. Oktober 2009 schrieb Marli:
> Your talking
> about basically moving the attribute from the column to the row so
> that permissions are activated that way, right?

Actually, I was refering to splitting the information into more than one
model. Each model can have different privileges. E.g. public information
could be stored in :products, private details in :private_product_data. Both
models could be connected through a has_one association. This is only a valid
approach if a clear distinction can be made, though.

> You don't know of any
> authorization program that can auto modify the select statement? Do
> you know if DA could be modified to function in this way?

It should be possible to extend decl_auth in this way, but it would need
considerable effort. Also, I'm not sure, how the API would need to change to
include queries on which columns to allow access to. If you like to invest on
that, I'm happy to offer support, of course.

Steffen

Marli

unread,
Oct 7, 2009, 12:03:26 AM10/7/09
to declarative_authorization
Ah, thanks for clarifying. That may yet be a possibility. I'm
looking into possibly using the ModelSecurity gem in conjunction with
DA right now.
Reply all
Reply to author
Forward
0 new messages