New Plugin: RESTful_Acl

Thanks Matt!

It would be great if the instructions would cover a bit more how to use it. I'm just fighting with it.

undefined local variable or method `error_url' is the error I have now. And I only added before_filter :has_permission? to one controller. I'm not so experienced with RoR but anyway...

Regards

undefined local variable or method `error_url' is the error I have now. And I only added before_filter :has_permission? to one controller. I'm not so experienced with RoR but anyway...

It seems as though you're using the first revision of RESTful_ACL that expected a few named routes to exist. I've taken these requirements out in the latest versions, so if you update the plugin you should be ready to roll right away.

./script/plugin remove http://restful-acl.googlecode.com/svn/tags/restful_acl ./script/plugin install http://restful-acl.googlecode.com/svn/tags/restful_acl

Hope this helps and thanks for checking out RESTful_ACL!

Hi,

As part of other topic you where asking for suggestions/comments about the plugin documentation.

This post: Using roles vs namespaces for admin - Rails - Ruby-Forum

I started looking at it but decided to put it away since I'm not so experienced. I hope you could make some example about how to use it and integrate it to a simple app.

The contents of the readme is pasted below (not much help there)

comopasta Gr wrote:

Hi,

As part of other topic you where asking for suggestions/comments about the plugin documentation.

This post: Using roles vs namespaces for admin - Rails - Ruby-Forum

I started looking at it but decided to put it away since I'm not so experienced. I hope you could make some example about how to use it and integrate it to a simple app.

The contents of the readme is pasted below (not much help there)

---------

RestfulAcl

Introduction goes here.

Example

Example goes here.

---------

Then the other piece of info is in google code: Google Code Archive - Long-term storage for Google Code Project Hosting.

But again that's for experienced people. What kind of user model is needed, role model? Again a simple example would be much more helpful.

undefined local variable or method `error_url'

Thas was the first problem I had. Besides not knowing how to get the plugin in the first place since you assume that people know how to add the repository before intalling. I didn't so I had to ask again.

Still the error_url was not fixed. Now based on some other info from the last days it might be that I just need to create a "error" route in the routes file and that's what you are calling. But still it requires some further additions.

Part of your documentation is "and a smattering of mapped URLs in order to work." Well, that's something I would really ellaborate a "bit" more.

Of course you can target your plugin to people with lot of experience but I'm sure many people will look at the info available before deciding to try it out.

I guess this is some feedback already :sunglasses:

Cheers!

Good point about the readme file; I will update that with the contents from the Google repository. The write up says that this plugin expects that you are using the RESTful_Authentication plugin; it creates the User model for you and also supplies other needed methods. All you need to do is add the before_filter to the User controller and the four CRUD functions to the User model and RESTful_ACL is ready to work. Just follow the steps in the Google write up and you'll be up and running in seconds.

The write up now includes directions on how to add the required named routes to your routes.rb file. Experience is all relative; I'd only used RoR for a few months at the time of writing RESTful_ACL :slight_smile:

Thank you for feedback and I hope this will help!

Hi, excellent! I'll give it a try and see how it goes after I finish some stuff. I'm learning every minute :sunglasses:

Thanks.

Hello,

Sorry if my question looks stupid but I am quite new with RoR, I am looking at an ACL plugin for my projects (I have already decided for Restful_Authentication) and I have a question about restful_acl. Let's say that I have 2 roles : teachers and students and a note model teacher can create, update, view, delete his notes (note the one from an other teacher) and a student can only see his notes.

If I understood correctly in the note.rb (my model), I need to define the 4 methods described in the plugin documentation (is_updatable, is deletable, ...). But I am not sure how to write these method to restrict the access depending on the note I am "evaluating and not only the role?

  def is_updatable_by(user) # note should be updatable only by the teacher who created it     user.is_teacher? and ???   end

  def self.is_readable_by(user, object = nil) # note should be readable only by all the teachers or by the student who has this note     user.is_student? or user.eql?(object.author)   end

Thanks very much for your help. Additional question : why are some of the method "self." and not the others?

Given you have a relationship

belongs_to :owner, :class_name => “Teacher”, :foreign_key => “owner_id”

def is_updatable_by(user) # note should be updatable

user.is_teacher? and self.owner==user

end

Best regards

Peter De Berdt

Tranquiliste wrote:

  def is_updatable_by(user) # note should be updatable only by the teacher who created it     user.is_teacher? and ???   end

  def self.is_readable_by(user, object = nil) # note should be readable only by all the teachers or by the student who has this note     user.is_student? or user.eql?(object.author)   end

Thanks very much for your help. Additional question : why are some of the method "self." and not the others?

Hi Tranquiliste, thanks for using RESTful_ACL! To answer your questions:

To restrict editing of a Note to only the Teacher who created it I would do (in Note)

belongs_to :author, :foreign_key => 'created_by_id', :class_name => 'Teacher'

def is_updatable_by(user)    user.eql?(author) end

def self.is_readable_by(user, object = nil)   user.is_teacher? || object.student_id == user.id end

When you say 'note should be readable by the student who has this note' I've assumed that you're linking each Note with a Student in some fashion.

As for your last question: the is_readable_by and is_creatable_by methods are class methods, meaning that they operate at the class level and not with just a single object. (Note instead of note, if you get my drift). That's where the 'self' comes into play.

Thanks both of you for the answers. I am going to look at them.

Nciolas

Hello,

Sorry to bother you again but what if several teachers can modify the note and a teacher can modify several notes? (which means we have a model note-owner?)

Tranquiliste a écrit :

Tranquiliste wrote:

Hello,

Sorry to bother you again but what if several teachers can modify the note and a teacher can modify several notes? (which means we have a model note-owner?)

Tranquiliste a �crit :

In Note.rb: def is_updatable_by(user)    user.eql?(author) || user.is_a?(Teacher) end

In Note.rb: def is_updatable_by(user)    user.eql?(author) || user.is_a?(Teacher) end -- Posted viahttp://www.ruby-forum.com/.

Thanks again, but in my case not all the teachers can modify the note, only those who have been authorized.

A bit of common sense could take you a long way:

def is_updatable_by(user) user.eql?(author) || ( user.is_a?(Teacher) && user.is_authorized? ) end

Replace the is_authorized? method with something else if you want, maybe something that has a bit more logic behind it…

Best regards

Peter De Berdt

Sorry I am stupid, I have just understood something (I won't tell you what because I will look even more stupid), and I think I am ready now to do what I want.

Thanks again for your help

Nicolas

Hello,

Me again, because I don't understand why the is_readable_by method is defined as a class method. If I have an class Invoice and that someone ask to view an invoice it should call @invoice.is_readable_by(current_user) and not with a generic Invoice.is_readable_by(current_user) .

Would you mind explaining this choice?

Thanks very much Nicolas

Tranquiliste wrote:

Hello,

Me again, because I don't understand why the is_readable_by method is defined as a class method. If I have an class Invoice and that someone ask to view an invoice it should call @invoice.is_readable_by(current_user) and not with a generic Invoice.is_readable_by(current_user) .

Would you mind explaining this choice?

Thanks very much Nicolas

Sure thing.

The is_readable_by() method pulls double duty. It is a class method as it supports the Object::index action, along with the Object::show action.

Since the index action usually deals with a collection of objects, it must be a class method. The method includes a parameter variable, object, that can represent a singular object when checking access on that singular object. This takes care of the Object::show action (that normally deals with just one object).

In your case, if you want to check access on a singular invoice object, you can do: Invoice.is_readable_by(current_user, @invoice).

Hope this helps!