Hey all, I'm trying to add authorization to a rather large app that already exists, but I have to obfuscate the details a bit.
Here's the background:
In our app we have a number or roles that are hierarchical, roughly like this:
BasicUser -> SuperUser -> Admin -> SuperAdmin
For authorization each User model instance has an attribute 'role' which corresponds to the above.
We have a RESTful controller "Users" that is namespaced under Backoffice. So in short it's Backoffice::UsersController.
class Backoffice::UsersController < ApplicationController
filter_access_to :all
#... RESTful actions + some others
end
So here's the problem:
We want users to be able to give permissions for users to edit users but ONLY if they have a 'smaller' role than they currently have. I've created the following in authorization_rules.rb
authorization do
role :basic_user do
has_permission_on :backoffice_users, :to => :index
end
role :super_user do
includes :basic_user
has_permission_on :backoffice_users, :to => :edit do
if_attribute :role => is_in { %w(basic_user) }
end
end
role :admin do
includes :super_user
end
role :super_admin do
includes :admin
end
end
And unfortunately that's as far as I got, the rule doesn't seem to get applied.
- If I comment the rule out, nobody can edit
- If I leave the rule in you can edit everybody
I've also tried a couple of variations on the if_attribute:
if_attribute :role => is { 'basic_user' }
if_attribute :role => 'basic_user'
and they get the same effect. Does anybody have any suggestions?