I have two models (Item and Theme). They are both owned by a third model Users with a has_many association (User has many Themes and Items). Both Item and Theme have_many :images.
The Image model is a polymorphic association so the table has the columns imageable_id and imageable_type. If I had both an Item with ID 1 and a Theme with ID 1 the table would look like
id imageable_id imageable_type
------------------------------------
1 1 Item
2 1 Theme
I'm using declarative_authorization to re-write the SQL queries of my database to keep users from accessing items outside their account. I'd like to write an authorization rule that will allow a user to read an image only if they can read the item they own. I can't seem to get the correct syntax (perhaps it's not supported):
has_permission_on [:images], :to => [:manage], :join_as => :and do
if_attribute :imageable => is { "Item" }
if_permitted_to :manage, :items # Somehow I need to tell declarative_auth to imageable_id is an item_id in this case.
end
Then I'd have another rule mimicking the above but for themes:
has_permission_on [:images], :to => [:manage], :join_as => :and do
if_attribute :imageable => is { "Theme" }
if_permitted_to :manage, :themes # Somehow I need to tell declarative_auth to imageable_id is a theme_id in this case.
end
Any ideas? Thanks in advance!
- Corith Malin