combine two has_and_belongs_to_many

a "User" has_and_belongs_to_many "Roles"
a "Role" has_and_belongs_to_many "Rights"

how can i relate Users and Rights? i would like something like
@user.rights
i know it can be done via SQL, but i don't know if there is a more
rails-way to do this.
any suggestion?
thanks.

What do you mean by how to relate them? As you have defined it then
if you have a user, @user, then @user.roles will give you an array of
roles and @user.role[0].rights will give you an array of rights for
that role.

Colin

you can add a "rights" method to your user that collects up all the
rights for all of the User's roles:

def rights
  roles.collect { |role| role.rights }.flatten.uniq
end

This gives you a starting point... you can memoize that method if you
access it a lot, or tweak it however suits...

HTH
Michael

thanks. i will try this, but i'm searching for something that can be
used with some named_scope (based on the rights).

It would help if you mentioned that in your first post then, rather
than just asking how to determine @users.rights...

I tend to use something like this in my models:

  named_scope :for_user, lambda { |user| scope_hash_for_user(user) }

  private
  def self.scope_hash_for_user(user)
    case (user.role rescue nil)
    when :admin
      # see everything
    when :client
      # see nothing
      { :conditions => ["1 = 0"] }
    when :customer_admin
      # their company and below
      { :conditions => ["groupable_entities.id IN (SELECT company.id
FROM groupable_entities AS company
                          WHERE company.id in (?))",
user.company.self_and_descendants_ids] }
    when :customer
      # their company
      { :conditions => ["groupable_entities.id IN (SELECT company.id
FROM groupable_entities AS company
                          WHERE company.id = ?)", user.company.id] }
    else
      raise Aegis::PermissionError, "Unknown role"
    end
  end

In the controller I can call Model.for_user(current_user) to return
the items they are permitted to see, and combine it with Aegis for
permissions-checking on specific instances of objects in controllers
and views. Speaking to the developers of Aegis, they're hoping to
introduce some named-scope permissions method in their next release,
but depending on the timescale, I might look to see if CanCan handles
the problem better.