declarative_authorization: control access to nested resource that doesn't have an explicit model
I have a model that allows a User to mark other Users as Favorites. This HABTM relationship is defined in the User model:
class User < ActiveRecord::Base
has_and_belongs_to_many :favorites, :class_name => "User", :join_table => "favorites", :association_foreign_key => "favorite_id", :foreign_key => "user_id"
end
The FavoritesController only requires three actions (index, create, destroy) to manage a User's Favorites.
Rule: Only an authenticated user (current_user) is allowed to manage their Favorites.
Initially, I tried to represent this rule in the authorization_rule.rb file:
# allow authenticated user to update profile
has_permission_on :users, :to => :change do
if_attribute :id => is { user.id }
has_permission_on :favorites, :to => [:index,:create,:destroy]
end
This didn't work, probably because the Favorite doesn't have an explicit model (i.e. favorite.rb). Though I could be wrong about this.
It seems like the correct approach would be to represent the rule in the FavoritesController:
filter_access_to :all, :nested_in => :users
...
But I'm not certain how to represent the rule properly here.
Assistance is really appreciated.
** edit **
It was suggested that I use a context to control access in this situation: setting permissions for a no-model controller .
I 开发者_StackOverflow中文版tried modifying the FavoritesController:
filter_access_to :all, :context => :favorites
This change had no effect.
** /edit **
精彩评论