search

chaps-io / access-granted

Multi-role and whitelist based authorization gem for Rails (and not only Rails!)
MIT License
774 stars 41 forks source link

Can we use with `gem 'role_model'` #27

Closed F1sn1k closed 8 years ago

F1sn1k commented 8 years ago

First Congratulation on your work.

In our application One admin can have multiple roles as listed below. We use role_model gem.

Roles are defined in admin.rb roles :account_manager, :customer_support, :data_entry, :sales_rep, :advertising_rep, :management, :tech_support, :super_admin

It works fine with cancan but I liked your gem a lot. Can this ability.rb of cancan be replaced in access_policy.rb . If yes please help me out

class Ability
  include CanCan::Ability

  def initialize(user)
    if user.admin?
      can :manage, :all
    else
      cannot :manage, OperatingExpense
      cannot :manage, AttendanceRecord
    end

    can :read, Admin, group: user.group

    can :manage, Admin, id: user.id

    if user.manager?
      can :manage, Admin, group: user.group
      cannot :manage, BlockedLocation
    end

    can :manage, Shop, admin_group: user.group # renders the account_manager role moot
    can :manage, Order do |order|
      order.shop.admin_group == user.group
    end

    # # role-based abilities
    if user.has_role? :account_manager, :customer_support, :data_entry, :sales_rep, :advertising_rep, :management
      can :manage, Admin do |admin|
        admin.id == user.id
      end
      can :manage, Shop
      can :manage, Coupon
      can :manage, Comment
      can :manage, Order
      can :manage, OrderAdjustment
      can :manage, ReceivedCall
      can :manage, Ledger
      can :manage, Payout
      can :manage, Ticket
      can :manage, Chain
      can :manage, User
      can :manage, BlockedIpAddress
      can :manage, BlockedLocation
    end

    if user.has_role? :super_admin, :tech_support
      can :manage, :all?
    end
  end
end
pokonski commented 8 years ago

Yes, you can. You need to move those has_role? checks inside the procs for role blocks.

Something like this:


role :admin, proc { |user| user.has_role? :admin } do
  # admin permissions
end

role :manager, proc { |user| user.manager? } do
  # manager permissions
end

and so on. Please note that AccessGranted doesn't have can :manage, :all, so your permissions need to be explicit.

F1sn1k commented 8 years ago

@pokonski Thank for the answer.

Is there something like cancan's load_and_authorize_resource and also skip ex: skip_load_and_authorize_resource only: :create ?

pokonski commented 8 years ago

There isn't at the moment, but I consider adding authorize_resource. Loading should not be AG's responsibility. I'm avoiding building a collosus like CanCan and keeping it simple

F1sn1k commented 8 years ago

Thanks @pokonski . Great job btw

pokonski commented 8 years ago

Glad you like it! :) I'm gonna close this one, if you find any other problems, let's do that in a new issue :+1: