tags:

views:

79

answers:

0
Q: 

declarative authorization filter_access_to

I am attempting to secure a Rails3 controller using declarative_authorization.

The controller has the 7, RESTful actions, three custom member actions (activate, deactivate, copy), and one custom collection action (public). The 'public' action only returns one record, however.

Only the custom collection action (public) should be available to authenticated users; the remainder are only available to the current_user.

has_permission_on :foos, :to =>  :public
has_permission_on :foos, :to =>  [:full_control, :copy, :activate, :deactivate] do
  if_attribute :user => is {user}
end

privilege :full_control, :includes => [:index, :show, :new, :create, :edit, :update, :destroy]

The 4 custom actions are defined in the routes.rb file:

resources :users do
  resources :foos do
    collection do 
      get :public
    end
    member do
      post :activate, :copy, :deactivate
    end
  end
end

A User :has_many Foos; A Foo :belongs_to a User.

The 'standard' access control (filter_resource_access :nested_in => :user), as defined in the FoosController seems to control access to the 7, RESTful actions, but fails to control access to the other 4 (as expected).

When I change the FooController to:

filter_access_to :all, :nested_in => :users, :attribute_check => true

I get an error that reads "Couldn't find Foo without an ID".

Questions:

  1. The documentation seems to suggest that a :before_filter will be called automatically to load the Foo model when filter_access_to is used. Am I mistaken? Do I need additional configuration of the filter_access_to? Do I need to manually configure a :before_filter?
  2. Do I also need to add using_access_control to the model for my purposes? I'm a little unclear when one needs to add access control to the model when there is access control in the controller.
  3. The documentation describes a privilege named 'create'--it is defined as: privilege :create, :includes => :new. In addition, to the :new action, does this privilege automatically include the :create action as a consequence of its name?
  4. If the authentication_rules.rb file is changed, does the server need to be restarted for the new rules to be applied?

related questions

Declarative authorization and mongoid
declarative_authorization and namespaces
Rails subscription limitations
Declarative authorization and the if_attribute not working...
Custom Routes and Declarative Authorization
User model declarative authorization 'if_attribute' issue
All permissions with declarative_authorization
declarative_authorization and /authorization_rules access problem
Is devise compatible with declarative_authorization?
Rails authorization plugins
What are people's opinions vis-a-vis my choice of authorization plugins?
declarative_authorization permissions on roles
Authorization in Rails
declarative_authorization permission on new but related object id is nil
if_attribute syntax problem on declarative_authorization
How to test declarative_authorization with rspec
Using Administration Dashboard with Declarative Authorization and Authlogic ?
if_attribute on declarative authorization
Help with database strategy for giving roles to users in specific model instances
Form is creating already loaded attributes in addition to new attributes, how do I ignore the first?
Rails: Undefined method 'to_sym'
declarative_authorization and authlogic problems
Declarative authorization - allow editing others comments left in your article?
How to check for a role
getting "Permission denied: No matching rules found for..." using declarative_authorization