0

I have an app with the following models: People, Projects, ProjectsAdminLists.

There's is a HABTM association between people and projects. Each project has one ProjectAdminsList and each one of those can have many people.

People belonging to each Project can add other people to it, but I want to restrict the removal of this association to those belonging to ProjectAdminsList. Restricting that in the views is straightforward, but what would be the best way to do it in the controller? I'm looking for general guidance on this.

ntlk
  • 67
  • 7

1 Answers1

0

You need some kind of authorization system, I suggest you to have a look at the CanCan gem written by Ryan Bates (the RailsCasts guy), you can start watching at the Authorization with CanCan RailsCast and then look at the really good documentation.

Here an overview:

  • It just needs a current_user method to determine the current logged user
  • You write the authorization rules in a single file (ability.rb)
  • You use the can? method in the view layer to check if a user can do some operation on something
  • You call load_and_authorize_resource in the controlle to make CanCan automatically check the authorization based on the ability.rb file.

Of course I've just scratched the surface, as said the documentation is really good.

Aldo 'xoen' Giambelluca
  • 12,075
  • 7
  • 33
  • 39
  • 1
    I've implemented some basic permissions checking, but CanCan looks really good. Will try it out. – ntlk Apr 26 '12 at 12:38