0

I need some help with the authorization. So far I was trying to solve it with the internal rails authorization combined with devise. I have a user who is posting a request. If this request is private only a group of "reader" can see and answer the request. (This is number one)

Then the user give a rating to the answer of the reader. This should be accesible only for the user which received the answer and the "reader" who gave an answer.

So far I was using the following to limit access to the hidden requests:

 before_filter :require_reader!, only: [:open_requests]

But if the request is not hidden, than still only the reader should be able to answer the request (but all can see it). Here I do not know how to manage this. Any Ideas?

To continue... I could not manage to solve the second problem (that the rating is seen only be the one who was placing the request and the reader). Any ideas here?

Is cancancan maybe an option?

Best witali

ertix4248
  • 41
  • 1
  • 6
  • What are you using to define the group of "reader" ? Devise is used to authenticate a user so you know who they are, but some of your own logic, or another library, would need to be used to manage group membership and permissions. – LisaD Feb 04 '15 at 17:27
  • Cancancan or xacml are the way to go – David Brossard Feb 05 '15 at 07:06
  • @LisaD: I am using www.railsbricks.net generator (really cool!) and it comes with a admin function. I applied this to the "reader". However the question is how do I limit the functionality (post and view). Everyone can see it but only "reader" can post an answer.. DavidBrossard: Thanks, I will check xacml out. – ertix4248 Feb 07 '15 at 19:32

1 Answers1

0

What you're doing does not quite follow the 'admin' pattern that's commonly setup with tools like Railsbricks. The 'admin' permissions pattern is typically a whole set of actions/views that are available only to admins, so often the entire Controller, or family of controllers, have the :require_admin! filter applied before every single action and view. Very simple permissions logic, and it depends only on the user and view.

Instead, what you've got is views with permissions that depend on your object's state as well as the user's status and the view. So you're going to have to write your own filter to use instead of using 'require_reader!'.

For example, you might have a RequestsController, and you could add to it:

  before_action :must_be_able_to_view_request, except: [:index, :new, :create]

Then define that filter in the controller: 

  private
  def must_be_able_to_view_request
    if !current_user.is_reader? && !@request.ispublic
       head :forbidden
    end
  end

If you need to use the same filter in other Controllers, then you can define it in your ApplicationController.

LisaD
  • 2,264
  • 2
  • 24
  • 24
  • You are right with the entire controller. It's a good point. I will try your filter option and let you know when I have some results. Thank you really much for your help! – ertix4248 Feb 11 '15 at 22:19