Rails multi level model security
I have the need to do the following in Rails to mirror a desktop application:
a User and an Office 'owns' a record, if you don't own the record on a user or office level you're kicked into the public realm.
user gets read,write,delete to the model record office gets read/write/delete to the model record other or public gets read/write/delete to the model record
开发者_如何学Pythone.g.
UserA owns a model record with read/write/delete OfficeA owns a model with read/write other/public gets read
I was wondering if a plugin/gem existed to grant this functionality?
You need an authorization framework like cancan or declarative_authorization for that.
Good if somewhat old survey of plugins here: http://steffenbartsch.com/blog/2008/08/rails-authorization-plugins/ (last updated 2009)
Sounds like you want one that works at the model level. So choose one that has a "yes" in the "M" column.
I recommend using Grant. It's an easy to use, though fairly bare-bones, model-level security framework. I describe in a little more detail in this answer.
精彩评论