combine two has_and_belongs_to_many

a "User" has_and_belongs_to_many "Roles" a "Role" has_and_belongs_to_many "Rights"

how can i relate Users and Rights? i would like something like @user.rights i know it can be done via SQL, but i don't know if there is a more rails-way to do this. any suggestion? thanks.

What do you mean by how to relate them? As you have defined it then if you have a user, @user, then @user.roles will give you an array of roles and @user.role[0].rights will give you an array of rights for that role.


you can add a "rights" method to your user that collects up all the rights for all of the User's roles:

def rights   roles.collect { |role| role.rights }.flatten.uniq end

This gives you a starting point... you can memoize that method if you access it a lot, or tweak it however suits...

HTH Michael

thanks. i will try this, but i'm searching for something that can be used with some named_scope (based on the rights).

It would help if you mentioned that in your first post then, rather than just asking how to determine @users.rights...

I tend to use something like this in my models:

  named_scope :for_user, lambda { |user| scope_hash_for_user(user) }

  private   def self.scope_hash_for_user(user)     case (user.role rescue nil)     when :admin       # see everything     when :client       # see nothing       { :conditions => ["1 = 0"] }     when :customer_admin       # their company and below       { :conditions => [" IN (SELECT FROM groupable_entities AS company                           WHERE in (?))",] }     when :customer       # their company       { :conditions => [" IN (SELECT FROM groupable_entities AS company                           WHERE = ?)",] }     else       raise Aegis::PermissionError, "Unknown role"     end   end

In the controller I can call Model.for_user(current_user) to return the items they are permitted to see, and combine it with Aegis for permissions-checking on specific instances of objects in controllers and views. Speaking to the developers of Aegis, they're hoping to introduce some named-scope permissions method in their next release, but depending on the timescale, I might look to see if CanCan handles the problem better.