0

We're looking at the protector gem for attribute level security. I'd like to auto restrict all models to the current user by default so you have to explicitly unrestrict it instead of the other way around. So..

Article.find(3) # Is actually eq to Article.restrict!(current_user).find(3)

But finding it a little challenging to implement it without wrapping/proxying the model. Was wondering if anyone has done this or has an idea of how to implement that type of functionality.

jadent
  • 3,674
  • 5
  • 27
  • 32

1 Answers1

0

From the protector documentation:

Protector is aware of associations. All the associations retrieved from restricted instance will automatically be restricted to the same context. Therefore you don't have to do anything special – it will respect proper scopes out of the box

You need just to restrict the current User itself.

Alex Antonov
  • 14,134
  • 7
  • 65
  • 142
  • Thanks but this isn't about the associations being restricted after restricting the query or the object. This is actually about flipping the pattern from explicitly restricting (Article.restrict!(current_user) to explicitly unrestricting so all queries & models are auto restricted to the current user and in order to query outside the current user you would have to unrestrict (ex: Article.unrestrict!.all) – jadent Sep 03 '15 at 04:56
  • Maybe, `current_user.articles`? – Alex Antonov Sep 03 '15 at 05:11
  • Negative. This is not about using the current functionality. This is about the best way to add new functionality to protector when instantiating a new model it's auto restricted. – jadent Sep 08 '15 at 15:02