I am using authlogic (2.1.3) and declarative_authorization (0.4.1) to control access to my application.
All of the authorization works as expected except user's that are assigned the Editor role can't change their (the current_user supplied by authlogic) profile settings (a part of the User model).
The 'Guest' role works as expects, as does the 'Administrator'.
I am using a User (named 'bob') that has been assigned the Editor role. Verified in the database and in an IRB session.
Relevant contents of authorization_rules.rb file:
role :guest do
# allow anonymous 'user' to create an account
has_permission_on :users, :to => [:new, :create]
# allow anonymous 'user' 'read-only' actions
has_permission_on :users, :to => [:index, :show]
end
role :editor do
# allow authenticated User to see other users
has_permission_on :users, :to => [:index, :show]
# allow authenticated User to update profile; doesn't work
has_permission_on :user, :to => [:edit, :update] do
if_attribute :user => is { user }
end
end
role :administrator do
# 'full control'
has_permission_on :users, :to => [:index, :show, :new, :create, :edit, :update, :destroy]
end
I believe that the problem relates to the if_attribute :user => { user }. if_attribute seems to suggest that the :user should be an attribute (or property) of the thing being tests, in this case a User model, rather than being the thing itself. I looked for an if_self method or something similar, but I didn't see anything.
Help is appreciated.