Declarative authorization nested if_attribute

Question

I'm having some difficulty understanding the documentation for declarative authorization and nested if_attributes.

Models:

class Company < ActiveRecord::Base
  has_many :users, :through => :division
end

class Division < ActiveRecord::Base
  belongs_to :company
  has_many :users
end

class User < ActiveRecord::Base
  belongs_to :post
end

My rule:

role :company_admin do
includes :company_admin
  has_permission_on :companies, :to => [:index, :show, :edit, :update] do
  if_attribute :id => is { user.division.company.id } # This is the problem....
end

In my hierarchy, I have a company_admin role defined that should be allowed to edit his own company and all divisions and users. There is another role above company admin which has the ability to fully edit & add companies and all roles below.

Where I seem to be hung up is at the rule listed above (I know that isn't correct, it's just filler for an example). I need to establish that the current user can ONLY edit his own company, not any other. This seems to be a nested if_attribute but I can't seem to understand the examples of nested if_attributes in the documentation.

Thanks in advance for any assistance!

Answer 1

The resolution did not need a nested if_attribute. The example that I used was actually correct, there were other permission errors in my authorization_rules.rb file that this user was inheriting that caused the confusion.

if_attribute :id => is { user.division.company.id } #This was the correct if_attribute