Topic: declarative_authorization' contains и inherited_resources

Hi,
i have rails3 app with declarative_authorization and
inherited_resources gems installed. Let me show you some code from my
app:

    class Blog < ActiveRecord::Base 
      has_many :posts 
      has_many :memberships, :class_name => "BlogMembership" 
      has_many :subscribers, :through => :memberships, :source 
=> :user, :conditions => "blog_memberships.membership_type = 
#{BlogMembership::SUBSCRIBER} or blog_memberships.membership_type = 
#{BlogMembership::AUTHOR} or blog_memberships.membership_type = 
#{BlogMembership::MODERATOR}" 
      has_many :authors, :through => :memberships, :source 
=> :user, :conditions => "blog_memberships.membership_type = 
#{BlogMembership::AUTHOR} or blog_memberships.membership_type = 
#{BlogMembership::MODERATOR}" 
      has_many :moderators, :through => :memberships, :source 
=> :user, :conditions => "blog_memberships.membership_type = 
#{BlogMembership::MODERATOR}" 
    end 
    class Post < ActiveRecord::Base 
      belongs_to :blog, :counter_cache => true 
      belongs_to :author, :class_name => "User", :foreign_key => 
"user_id" 
    end 
    class BlogMembership < ActiveRecord::Base 
      belongs_to :user 
      belongs_to :blog 
      # Membership types: 
      SUBSCRIBER = 0 
      AUTHOR = 1 
      MODERATOR = 2 
    end 

my authorization rules:

    authorization do 
      role :guest do 
        description "Not logged in users and users not assigned to any 
group" 
        ##### Blogs and Posts 
        has_permission_on :blogs, :to => [ :read, :list ] 
        has_permission_on :posts, :to => [ :read, :feed ] 
        has_permission_on :posts, :to => :flag if User.current 
      end 
      role :admin do 
        description "Administrators" 
        has_omnipotence # Can manage all 
      end 
      role :moderator do 
        description "Blog moderators" 
        includes [ :guest, :blogger ] 
        has_permission_on :posts, :to => :manage do 
          if_attribute :blog => { :moderators => contains { user } } 
        end 
      end 
      role :blogger do 
        description "Blog authors" 
        includes :guest 
        has_permission_on :posts, :to => :create do 
          if_attribute :blog => { :authors => contains { user } } 
        end 
        has_permission_on :posts, :to => :manage do 
          if_attribute :author => is { user } 
        end 
      end 
    end 
    privileges do 
      # default privilege hierarchies to facilitate RESTful Rails apps 
      privilege :manage, :includes => 
[:create, :read, :update, :delete] 
      privilege :read, :includes => [:index, :show] 
      privilege :create, :includes => :new 
      privilege :update, :includes => :edit 
      privilege :delete, :includes => :destroy 
    end 

in posts/index.html.haml i use

    - if permitted_to? :create, :posts 
      .button.add-post 
        = link_to "New post", new_resource_path 

and in my posts_controller

    class PostsController < InheritedResources::Base 
      respond_to :html 
      belongs_to :blog 
      filter_access_to :all 
    end 

Looks good, but does not work :(
test user is in moderator's group with moderators membership for one
of blogs, but without any membership in second blog.
With following rules and code any user with moderators role can create
post in any blog.
Could you tell me please - what i need to change to allow only blog
authors and moderator to send posts to they blogs but not to the other
blogs?

Last edited by alec-c4 (2011-02-18 11:16:11)

Re: declarative_authorization' contains и inherited_resources

Not so elegant way, but i solved it with following:

1. changed access filter in posts_controller:

filter_resource_access :nested_in => :blog

2. Added method to posts controller

  protected

  def new_post_for_collection
    @post = Blog.find(params[:blog_id]).posts.new
  end

3. Changes in index.html.haml

    - if permitted_to? :create, @post 
      .button.add-post 
        = link_to "New post", new_resource_path