Authorization on instances

I want to limit access to an instance of a model, so authorization
based on an action wouldn't suffice. Is there any plugin with this kind
of functionality or am I on my own? Any hints?

Just write the code in the model yourself. Here's some untested code:

class Book
  belongs_to :user

class User
  has_many :books

  def find_book(book_id)
    # Assumes we have a boolean 'admin' field
    if admin?
      Book.find book_id
      books.find book_id

Then in your code, you can just do
current_user.find_book params[:id]

that kinda thing. Now the authorization is offloaded to the user
model, and you don't even have to worry about authorization in your
client code. Alternatively, you could do a can_read? sort of method:

def can_read?(book)
  admin? || !books.find_by_id(

There's certainly a way to make the can_read? method more efficient,
but you get the idea.

Those are two different approaches I would take, and it would depend
on how I want to write my code. A lot of the times I prefer the
first, because authorization is effective but transparent. A downside
is that you don't know whether a user is unauthorized or if the book
just doesn't if you want to treat those cases differently
then you'll prefer the second approach.



Going through ActiveRBAC manual right now, and I still can't find it.
Can you point me to the section of the documentation that talks about
this functionality?

Bill Katz has released what looks like a great plugin for this.

Damn, it seems Google eat my inspired post. It couldn't possibly be me,
oh no. :slight_smile: Trying to recuperate now...

My first post might have been a bit misleading. I'm not what you might
call a skilled programmer, possibly not even a clear thinker. What I
actually meant when writing "limiting access" is to ask about
authorization on all of CRUD operations.

Obviously I have to admit I'm struggling a bit with your example.
Perhaps I should give my own. I'm trying to make some sort of a CMS for
my school web site. Let's say I have a model Course. There are some
models related to the Course, like Announcement, Report, etc. I have to
ensure that only authorized personnel can create, update and delete
content for a specific course, make an announcement related to that
course etc. So, Maths related personnel would make changes only to that
instance of the Course model (and the instances of related models).
There is probably going to be about two dozens of authorized users,
possibly more, divided into groups which are going to be used for
authorization management. But, first things first. So far I've found

and it looks promising. Only, I'm kind of cautious, since none of the
plugins I've seen so far uses the same approach, they all deal with
restricting access based on an action, not on URL. Are there any
shortcomings I should be aware of regarding this article?

What I'm looking for is hopefully some of plugin with this
functionality, but I'll settle with some article or tutorial about the
issue. It couldn't possibly be a unique problem, so I'm thinking there
must be some good reference on the mighty net. It doesn't even has to
be strictly about RoR (see how desperate I am?) I've tried Googling,
but perhaps not using the right keywords (not being native speaker
doesn't help either). I'm quite willing (and eager) to do my share of
hard work, just need a pointing finger (probably to the obvious).
Thanks for the patience (and for even reading this far). :slight_smile:

Hi, I would recommend reading chapters 4 and 5 of the ‘ActiveRBAC Manual’.

Good luck,


Yes, this looks like something I should dwell on. Thanks everyone.