Is it possible to set up guards with AASM that control event access by user role?
This seems like a fairly common use case, but I can't find a well agreed upon answer. Many people seem to suggest keeping the permission logic in the controllers, which certainly works, but means bleeding the state machine logic into several controllers. This is bad for several reasons, but the most critical is that any updates to the SM will require finding all usages to modify along with the model.
The solution I've come up with works, but I'm very curious if anyone has found a better one.
My solution:
Within my AASM class, I have included;
aasm do
before_all_events set_user
event :sample_event, :guard => :user_can? do
transition ...
end
end
private
def set_user user
@user = user
@user ||= User.new
end
def user_can?
@user.some_check_on_attributes?
end
Which in turn allows me to do within my controller:
aasm_class.sample_event current_user
To check against the current user, or alternately;
aasm_class.sample_event
To check against a default user.
Is this the best way of approaching this issue? Does anyone have a better suggestion?