declarative_authorization's contains and inherited resources

Question

i have rails3 app with declarative_authorization and inherited_resources gems installed. Let me show you some code from my app:

class Blog < ActiveRecord::Base
  has_many :posts
  has_many :memberships, :class_name => "BlogMembership"

  has_many :subscribers, :through => :memberships, :source => :user, :conditions => "blog_memberships.membership_type = #{BlogMembership::SUBSCRIBER} or blog_memberships.membership_type = #{BlogMembership::AUTHOR} or blog_memberships.membership_type = #{BlogMembership::MODERATOR}"
  has_many :authors, :through => :memberships, :source => :user, :conditions => "blog_memberships.membership_type = #{BlogMembership::AUTHOR} or blog_memberships.membership_type = #{BlogMembership::MODERATOR}"
  has_many :moderators, :through => :memberships, :source => :user, :conditions => "blog_memberships.membership_type = #{BlogMembership::MODERATOR}"
end


class Post < ActiveRecord::Base
  belongs_to :blog, :counter_cache => true
  belongs_to :author, :class_name => "User", :foreign_key => "user_id"
end


class BlogMembership < ActiveRecord::Base
  belongs_to :user
  belongs_to :blog

  # Membership types:
  SUBSCRIBER = 0
  AUTHOR = 1
  MODERATOR = 2
end

my authorization rules:

authorization do
  role :guest do
    description "Not logged in users and users not assigned to any group"

    ##### Blogs and Posts
    has_permission_on :blogs, :to => [ :read, :list ]

    has_permission_on :posts, :to => [ :read, :feed ]
    has_permission_on :posts, :to => :flag if User.current
  end

  role :admin do
    description "Administrators"
    has_omnipotence # Can manage all
  end

  role :moderator do
    description "Blog moderators"

    includes [ :guest, :blogger ]

    has_permission_on :posts, :to => :manage do
      if_attribute :blog => { :moderators => contains { user } }
    end
  end

  role :blogger do
    description "Blog authors"

    includes :guest
    has_permission_on :posts, :to => :create do
      if_attribute :blog => { :authors => contains { user } }
    end
    has_permission_on :posts, :to => :manage do
      if_attribute :author => is { user }
    end
  end
end

privileges do
  # default privilege hierarchies to facilitate RESTful Rails apps
  privilege :manage, :includes => [:create, :read, :update, :delete]
  privilege :read, :includes => [:index, :show]
  privilege :create, :includes => :new
  privilege :update, :includes => :edit
  privilege :delete, :includes => :destroy
end

in posts/index.html.haml i use

- if permitted_to? :create, :posts
  .button.add-post
    = link_to "New post", new_resource_path

and in my posts_controller

class PostsController < InheritedResources::Base
  respond_to :html

  belongs_to :blog
  filter_access_to :all
end

Looks good, but does not work :(

Test user have moderator's role with moderator's membership for one of blogs, but without any membership in second blog.

With following rules and code any user with moderators role can create post in any blog.

Could you tell me please - what i need to change to allow only blog authors and moderator to send posts to they blogs but not to the other blogs?

Answer 1

Not so elegant way, but i solved it with following:

1. changed access filter in posts_controller:

   filter_resource_access :nested_in => :blog

2. Added method to posts controller

   protected

   def new_post_for_collection @post = Blog.find(params[:blog_id]).posts.new end

3. Changes in index.html.haml

   • if permitted_to? :create, @post .button.add-post = link_to "New post", new_resource_path