before_filter with parameters to authenticate user's permissions
I need to make sure a user has the correct permissions before allowing them to edit an employee's information. Specifically the user has to be an admin and the user must belong to the same company as the employee. What's the best way to do something like this?
def EmployeesController < ApplicationController
before_filter :requires_admin_from_company(cid)
# Only allow access to this if user.admin is true and user.company_id is equal to employee.company_id
def update
# Somehow pass @employee.company_id into admin
开发者_运维知识库@employee = Employee.find(params[:id])
@employee.update_attributes(params[:employee])
end
def requires_admin_from_company(cid)
if !@current_user.admin? || @current_user.company_id != cid
redirect_to login_url
end
end
end
How about
before_filter lambda{ requires_admin_from_company(params[:cid]) }, :only => :create
I've found Authorization with CanCan to be very helpful in these situations
精彩评论