I have an application that requires some complex access rules.
Certain fields can only be edited by certain roles. I am using
restful_authentication and role_requirement plugins so I am fine with
restricting an entire controller or specific action based on a role.
I am trying to come up with a solution that would allow me to specify
something as a text field but make it just plain text if the user does
not have edit permissions. Anyone have any ideas on fine grain
access control like this? Can you point me to a project that uses
something like this?
I don't have any leads for you, but I'm very interested in this
myself. I do have one thought: I imagine you could roll your own text
field helper method (and then probably helper methods for the other
form elements). Something like:
require 'active_support/inflector.rb'
module ActionView
module Helpers
module FormHelper
def secured_text_field(object_name, method, options = {})
current_user.has_role?(options[:required_role]) ?
"<div id=\"#{object_name}_#{method}
\">#{object_name.instance_eval(method.to_s)}</div>" :
text_field(object_name, method, options)
end
end
end
end
# (I added the above to the ApplicationHelper.rb file but not within
the Module namespace... i.e. after it.)
I'm sure there's a cleaner way, but the above works. I tried doing it
within the FormBuilder constrains (i.e. "f.secured_text_field...") but
I don't understand that code... lots of meta-programming there.
Anyway, I tested the above and it works. Hopefully that gets you
started.
i think there is a ruby gem called model_security which provides such
fine grained access control from within the model.
I don't know though if it's mantained and up to date and/or runs
nicely on rails 2.