Spree Permissions, custom roles

[Scratch22]

Im using Spree 0.40.3 and loving it. Pure Awesome.

Im trying to give a 'manager' role rights to add products from the
admin section...

Below will give me full access to the admin area when I override the
cancan abilities

class RoleAbility

include CanCan::Ability

def initialize(user)
if user.has_role? :manager
can :manage, :all --------------- This works, when I
change to can :manage, Product it fails
end
end

end

Ive also tried to create a config/spree_permissions.yml and added the
following

'Admin::BaseController':
permission1:
roles : [admin]

'Admin::ProductsController':
permissions1:
roles : [admin, retailer]


The abilities are registered like so -
Ability.register_ability(RoleAbility) within the lib/[ext].rb def
self.activate

It half works and I know im missing something, but have searched up
and down through this group, followed the docs and nothing
successfull.

Any pointers?

Muchly Appreciated!@! ;)

[Brian Quinn]

So config/spree_permissions.yml  is no longer supported so you can drop that.

It's hard to tell exactly what code you had in your RoleAbility from the snippet in your email, but it looks like you where doing everything correctly.

Where exactly were you getting the error (if you were logging-in as a manager, you would get redirected to the OverviewController by default when accessing admin, maybe that's the error you are seeing?)

Brian Quinn

-------------------------------------------

Rails Dog LLC

2 Wisconsin Circle, Suite 700

Chevy Chase, MD 20815

voice: (301)560-2000

-------------------------------------------

--
You received this message because you are subscribed to the Google Groups "Spree" group.
To post to this group, send email to spree...@googlegroups.com.
To unsubscribe from this group, send email to spree-user+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/spree-user?hl=en.

[Scratch22]

Hey thanks Brian for replying,

The exact code I have in RoleAbility is...

class RoleAbility

include CanCan::Ability

def initialize(user)
if user.has_role? :manager
can :manage, :all

end
end

end

THis works as expected... But I do not want a manager to have rights
to all... only products for now.

So what I tried was to change it to this

class RoleAbility

include CanCan::Ability

def initialize(user)
if user.has_role? :manager

can :manage, Product
end
end

end

when I send the logged in 'manager' to /admin/products its an
"Authorization Failure"

do I need to edit any/many admin or product controllers? or maybe I
need to give access to a bit more than just products?? maybe taxons/
orders..

or would I need to specify read only/deny access for every resource??

seems a little cumbersome to specify every resource I dont want, to be
access denied??

im gonna try this and get back.

Thanks again for the tips, new to spree, first major rails app, ahh
the art of learning ;)

On Mar 15, 7:43 pm, Brian Quinn <br...@railsdog.com> wrote:
> So config/spree_permissions.yml is no longer supported so you can drop that.
>
> It's hard to tell exactly what code you had in your RoleAbility from the snippet in your email, but it looks like you where doing everything correctly.
>
> Where exactly were you getting the error (if you were logging-in as a manager, you would get redirected to the OverviewController by default when accessing admin, maybe that's the error you are seeing?)
> Brian Quinn
>
> -------------------------------------------
> Rails Dog LLC
> 2 Wisconsin Circle, Suite 700

> Chevy Chase, MD 20815any

[Scratch22]

Oh and I dont get redirected, it just renders my theme layout and
flashes out "Authorization Failuer" this is my log...


Started GET "/admin/products" for 127.0.0.1 at 2011-03-16 10:17:26
+1000
SQL (0.6ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'
SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'
SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'
SQL (0.6ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

SQL (0.6ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'
SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

SQL (0.6ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'
SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'
SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'
Processing by Admin::ProductsController#index as HTML
User Load (1.5ms) SELECT "users".* FROM "users" WHERE "users"."id"
= 22 LIMIT 1
Role Load (0.2ms) SELECT * FROM "roles" INNER JOIN "roles_users" ON
"roles".id = "roles_users".role_id WHERE ("roles_users".user_id = 22 )
SQL (0.6ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

Property Load (0.2ms) SELECT "properties".* FROM "properties" WHERE
"properties"."name" = 'brand' LIMIT 1
SQL (0.5ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'

Completed in 182ms
Rendered jltheme/app/views/shared/_login_bar.html.erb (1.0ms)
Rendered jltheme/app/views/shared/_search.html.erb (0.8ms)
Rendered jltheme/app/views/shared/_main_nav.html.erb (0.7ms)
Rendered jltheme/app/views/shared/_flashes.html.erb (0.5ms)
Rendered jltheme/app/views/shared/_breadcrumbs.html.erb (0.7ms)
Rendered jltheme/app/views/shared/_footer.html.erb (0.3ms)
Rendered /home/zarne/.rvm/gems/ruby-1.9.2-p136/gems/spree_auth-0.40.3/
app/views/shared/unauthorized.html.erb within layouts/
spree_application (22.8ms)

[Scratch22]

Also tried overriding admin_controller aswell with this?

Admin::BaseController.class_eval do

before_filter :authorize_roles

def authorize_roles
authorize! :admin, Object
authorize! :retailer, Object
end

end

not sure why or if is the right direction, may aswell give it a go
tho... and as expected had no luck.. with/out :admin/:retailer etc
most of the files I edit I try with a few variations...

[Scratch22]

Also noticed when I log in my retailer account this is the log

Processing by UserSessionsController#create as HTML
Parameters: {"utf8"=>"✓",
"authenticity_token"=>"OIB57YouNSjDqjsuCnRhy3FAjV2LQRf+Ge/fc4vPC34=",
"user"=>{"email"=>"1...@gcds.com.au", "password"=>"[FILTERED]",
"remember_me"=>"0"}, "commit"=>"Log In"}

User Load (1.5ms) SELECT "users".* FROM "users" WHERE

"users"."email" = '1...@gcds.com.au' LIMIT 1
SQL (0.2ms) SELECT COUNT(DISTINCT "roles"."id") FROM "roles" LEFT
OUTER JOIN "roles_users" ON "roles_users"."role_id" = "roles"."id"
LEFT OUTER JOIN "users" ON "users"."id" = "roles_users"."user_id"
WHERE "roles"."name" = 'admin' ++++++++++++++++++++ NOTE THIS
LOAD !!!!!! +++++++++++++++

AREL (0.4ms) UPDATE "users" SET "last_sign_in_at" = '2011-03-16
00:52:43.693922', "current_sign_in_at" = '2011-03-16 01:00:58.879476',
"sign_in_count" = 10, "updated_at" = '2011-03-16 01:00:58.901077'

WHERE "users"."id" = 22

Role Load (0.2ms) SELECT * FROM "roles" INNER JOIN "roles_users" ON
"roles".id = "roles_users".role_id WHERE ("roles_users".user_id = 22 )

Redirected to http://localhost:3000/
Order Load (0.2ms) SELECT "orders".* FROM "orders" WHERE
"orders"."id" IS NULL LIMIT 1
Completed 302 Found in 140ms


Im suspecting I dont want to check just for admin account? I should be
checking for "admin or retailer" ?? BTW This account only has one role
"retailer"

[Scratch22]

def initialize(user)

user || User.new # for guest
can :manage, Product

end

which in theory should allow anyone to access and manipulate
Products??... But unfortunatly not... :(

Just to get things going... all I want to do is

- Give access to manage only /admin/products without actually being an
admin...

[swapnil]

Hi Zarne,

How did you resolved this issue...?

Were you able to give access to the specified role...?

Cause I am also trying to do the same thing but unable to access the admin section of spree.
'Authorization Failure'

[fab...@coqtail.com]

For me the following code worked fine:

if user.respond_to? :has_spree_role? and user.has_spree_role? :retailer
  can :manage, Spree::Product
end

[Vincent Edison]

The following code work fine

class AbilityDecorator

  include CanCan::Ability

  def initialize(user)

    if user.respond_to?(:has_spree_role?) && user.has_spree_role?('manager')

      can [:admin, :index, :show], Spree::Order

      can [:admin, :index, :show, :create], Spree::Product

      can [:admin, :index, :show], Spree::Taxon

      can [:admin, :index, :show], Spree::Product

      

      can [:admin, :index, :show], Spree.user_class

      can [:admin, :index, :show], Spree::Promotion

      can [:admin, :index, :show], Spree::Page

      

      

    end

  end

end

Spree::Ability.register_ability(AbilityDecorator)

But the problem is if a user set as manager, the logout button in the admin navbar missing, can someone help me to solve this?

[shel...@gmail.com]

There is one spree extension 'spree_admin_roles_and_access' available for the same purpose