I'm using the latest RESTful_ACL plugin - GitHub - mdarby/restful_acl: Rails gem/plugin that provides contextual access control to RESTful resources. - and so far it has fulfilled my app needs... I control the access to the several models depending on the user's role and the REST action. Although, I have a question:
For example, imagine that I have an User, each User can have many Numbers, and each Number can have many Profiles. A User can only access his Numbers and hence only the Profiles associated with each of those Numbers he owns.
Imagine that I have an User 1, which owns the Number 1, which has a Profile 1. And there's another User 2, which owns the Number 2, which has a Profile 2.
I can protect the access to a particular Number and Profile using self.is_readable_by(user. object). User 1 is successfully blocked when trying to access /numbers/2 and /numbers/2/profiles/2 But I'm having problems finding a way to _not_ allow a User to access the index of Profiles for a Number that he doesn't own.
How could I protect the User 1 from accessing the index of Profiles belonging to User 2? /numbers/2/profiles
