How to set up declarative_authorization for every user

Question

I have these two models:

class Photo < ActiveRecord::Base
  belongs_to :user
end

class User < ActiveRecord::Base
  has_many :photos
end

and this set up of declarative_authorization for a role:

  role :reg_ser do
     has_permission_on :photos, :to => [:show] do
       if_attribute :user_id => is { user.id }
     end
  end

and I want to allow display to user the image that he upload - only his images. I mean, for example:

user_id | photo
      1 | 1
      1 | 2
      1 | 3
      2 | 4

And when the user set the url /photos/1, so this image will be displayed only for user_id with the number 1, when the user_id=2 will display this address, he don't see the image...

Is possible something like this to do?

Answer 1

You need to put something like

filter_access_to [:index, :new, :create]
filter_access_to [:show, :edit, :update], :attribute_check => true

in your controller and something like

role :reg_ser do
  has_permission_on :photos, :to => [:index, :new, :create]
  has_permission_on :photos, :to => [:show, :edit: update] do
    if_attribute :user_id => is { user.id }
  end
end

into authorization_rules.rb. So everything works properly it is important that you include the :attribute_check in the controller for every action where you want to check on attributes. I left :index without it, as it is quite easy to just show current user's things by adding

def begin_of_association_chain
  current_user
end

or similar to the controller (this would be causing InheritedResources to have current_user.pictures as the collection).

You may also be interested in reading http://asciicasts.com/episodes/188-declarative-authorization