ruby on rails - Is there any way to access the parent object in a Cancan nested resource ability? -

-

i have nested resource i'm using cancan authorization. need able access parent object in order able authorize :index action of child (since no child instance passed :index action). 

# memberships_controller.rb class membershipscontroller < applicationcontroller   ...   load_and_authorize_resource :org   load_and_authorize_resource :membership, through: :org   .. end

ability.rb

can [:read, :write], membership |membership|   membership.org.has_member? user end

this doesn't work :index action

unfortunately index action doesn't have membership instance associated , can't work way check permissions.

in order check permissions, need interrogate parent object (the org) , ask whether current user member e.g.

# ability.rb ... can :index, membership, org: { self.has_member? user }

cancan lets me this...

cancan states can access parent's attributes using following mechanism: https://github.com/ryanb/cancan/wiki/nested-resources#wiki-accessing-parent-in-ability

# in ability can :manage, task, :project => { :user_id => user.id }

however works comparing attributes doesn't work case.

how can access parent object though?

is there way access parent object within permissions?

i faced same problem , ended following (assuming have org model):

class membershipscontroller < applicationcontroller   before_action :set_org, only: [:index, :new, :create] # if shallow nesting enabled (see link @ bottom)   before_action :authorize_org, only: :index    load_and_authorize_resource except: :index    # orgs/1/memberships   def index     @memberships = @org.memberships   end    # ...  private    def set_org     @org = org.find(params[:org_id])   end    def authorize_org     authorize! :access_memberships, @org   end  end

ability.rb:

can :access_memberships, org |org|   org.has_member? user end

useful links

https://github.com/ryanb/cancan/issues/301

http://guides.rubyonrails.org/routing.html#shallow-nesting


Comments

Post a Comment

Popular posts from this blog

c# - How to get the current UAC mode -

-
can check current uac type set in device before running application through c#. i got know approach check whether current user administrator or not. but, need know uac type set (i.e. default/never notify) internal logic. is possible? please help. this article self-elevation , checking level program runs in. due security reasons i'm afraid won't able retrieve uac level set. http://code.msdn.microsoft.com/windowsdesktop/csuacselfelevation-644673d3
Read more

postgresql - Lazarus + Postgres: incomplete startup packet -

-
i've been building lazarus pascal program using postgresql on back-end. used work fine following lines opening db. dbconn:= tpqconnection.create(nil); dbconn.hostname := 'localhost'; dbconn.databasename:= 'dbhrs'; dbconn.username:='mizk'; dbconn.password:='123'; dbconn.open; if dbconn.connected openhrsdb := true else openhrsdb := false; but moment change localhost server's ip (on lan), program stops. no errors or warnings. have no clue happening. here related details may narrow down problem. the program i'm running workstation on same lan server. both machines run ubuntu 12.04 desktop i can access postgres db on server using pgadmin iii, guess it's not firewall issue. i have allowed postgresql ufw , ufw disabled. strangely, when firewall disabled, can ssh server terminal using workstation. when it's enabled, can't my biggest concern right why pascal program not working when i...
Read more

javascript - Ajax jqXHR.status==0 fix error -

-
$.ajax({ url: urlstring, datatype: "json", type: "get", success: function (data) { alert(data); }, error: function (jqxhr, exception) { if (jqxhr.status === 0) { alert('not connect.\n verify network.'); } else if (jqxhr.status == 404) { alert('requested page not found. [404]'); } else if (jqxhr.status == 500) { alert('internal server error [500].'); } else if (exception === 'parsererror') { alert('requested json parse failed.'); } else if (exception === 'timeout') { alert('time out error.'); } else if (exception === 'abort') { alert('ajax request aborted.'); } else { alert('uncaught error.\n' + jqxhr.responsete...
Read more