Attribute check on nested resource with declarative authorization
-
02-07-2021 - |
Question
I'm trying to add filter_access_to
with attribute_check: true
but my model, Assignment
, is nested on Project
and I want to check that the current user is assigned to the project so he/she can update the assignments (i.e. all the assignments, not just a specific one) on the project.
I have the next permission:
has_permissions_on :assignment do |a|
to :read
if_attribute :user, is { user }
end
And in my controller:
filter_access_to :all, require: :manage, context: :assignment, attribute_check: true
The problem is that I can't access the index page because it doesn't find the assignment's id.
My models are:
class User < ActiveRecord::Base
has_many :assignments
has_many :projects, through: :assignments
end
class Project < ActiveRecord::Base
has_many :assignments
has_many :users, through: :assignments
end
class Assignment < ActiveRecord::Base
belongs_to :user, inverse_of: :assignments
belongs_to :project, inverse_of: :assignments
end
Solution
Unless you have a very specific need to use filter_access_to
, you can use filter_resource_access
(see docs) instead and specify :nested_in
option.
Simply change your filer_access_to
line with the following (or similar):
filter_resource_access nested_in: :projects
If you really want to continue using filter_access_to
, then you need to create an instance of Assignment associated with Project and assign it to @assignment
instance variable in a before_filter
. This is what Declarative Authorization does under the hood when you use filter_resource_access
.
OTHER TIPS
Here's the code that did the trick for me:
before_filter :set_assignment
filter_access_to [:index,:create,:destroy], require: :manage, context: :assignment, attribute_check: true
....
def set_assignment
@project ||= Project.find(params[:project_id])
p = {project_id: @project.id}.merge(params[:assignment] || {})
@assignment ||= (params[:id] ? Assignment.find(params[:id]) : Assignment.new(p))
end
No idea why filter_resource_access :nested_in => :project
didn't work. It worked for index
but it didn't for create
and destroy
.