0

I have inherited resources working in my controllers and I use cancan for authorization. However, I have a problem writing required abilities.

I can display particular order in 2 ways:

/profile/123/orders/321
/store/456/orders/321

in controller:

class OrdersController < ApplicationController
  inherit_resources 
  belongs_to :profile, :store, :optional => true
  load_and_authorize_resource
  ...
end

Roles are: user (has_one :profile in Model) and manager (has_one :store in Model)

The requirements (in words) are:

  • Manager can display order(s) in context of (that belongs to) his store.
  • Manager cannot display order(s) in context of any user's profile (Access should be denied)
  • User can display order(s) in context of his profile
  • User cannot display order(s) in context of any store (denied)

I couldn't meet these requirements, maybe I should load resource in special way or actually in 2 ways? Intuition says to me, that access to orders should be based on the access to parent resource in both cases. Thank You for help.

Przemek Maczewski
  • 211
  • 2
  • 13

1 Answers1

0

If you have rights in your ability.rb file for profile and store, then you can just authorize parent too. I.e. something like this:

load_and_authorize_resource :profile
load_and_authorize_resource :store
load_and_authorize_resource :order

Or you can do as it described in CanCan wiki:

Polymorphic associations

Let's say tasks can either be assigned to a Project or an Event through a polymorphic association. An array can be passed into the :through option and it will use the first one it finds.

 load_resource :project
 load_resource :event
 load_and_authorize_resource :task, :through => [:project, :event]

Here it will check both the @project and @event variables and fetch the task through whichever one exists. Note that this is only loading the parent model, if you want to authorize the parent you will need to do it through a before_filter because there is special logic involved.

 before_filter :authorize_parent
 private
 def authorize_parent
   authorize! :read, (@event || @project)
 end
link_er
  • 472
  • 3
  • 11