I am using declarative_authorization in my app. I am bit confused how declarative_authorization is authenticate the object for the checking the authorization.
For example:
My authorization rule file is like:
role :Teacher do
has_permission_on :results, :to => [:new, :create]
has_permission_on :results, :to => [:show, :edit, :index, :update, :destroy] do
if_attribute :user => is {user}
end
end
class MonitorsController < ApplicationController
def result
@result = Result.find_by_user_id(params[user_id])
end
end
I am displaying the result to teachers only.
In my view:
<% edit_permission = (permitted_to? :show, @results) %>
<% if edit_permission %>
// display results
<% end %>
Problem: Issue is with the @results instance. It always returning false for @results object.
Query: Do we need to use filter_resource_access for authenticating the object. Because in my case I am manually fetching the result object instead of filter_resource_access.
Aucun commentaire:
Enregistrer un commentaire