search

james2m / canard

Makes role based authorization in Rails really simple. Wraps CanCan and RoleModel up with a smattering of syntactic sugar, some generators and scopes.
MIT License
125 stars 28 forks source link

Non-inherited Roles #17

Closed elsom25 closed 10 years ago

elsom25 commented 10 years ago

Is it possible to create roles that don't inherit abilities from "lesser" roles? I need two separate roles that are disjoint, and it seems that's not possible atm.

james2m commented 10 years ago

If you have a User model;

app/models/user.rb

class User < AR::Base

  has_many :countries
  has_many :accounts

  acts_as_user roles: [:manager, :rep]

end

app/models/account.rb

class Account < AR::Base

  belongs_to :user

end

app/models/country.rb

class Country

  belongs_to :user

end

abilities/reps.rb

Canard::Abilities.for(:rep) do

    can :manage, Account

end

abilities/managers.rb

Canard::Abilities.for(:manager) do

    can :manage, Country

end

abilities/users.rb

Canard::Abilities.for(:user) do

    can :manage, User, id: user.id

end

Then only abilities/users.rb is inherited. So a user can manage their own User record. Users with the role :rep can manage Account where user_id == user.id and users with role :manager can manage all countries.

elsom25 commented 10 years ago

ahh okay, thank-you. Reading the docs, I got the impression that given your example,

acts_as_user roles: [:manager, :rep]

Any user with role manager would have the ability:

can :manage, User, id: user.id
can :manage, Account
can :manage, Country

Glad to see this isn't the case, and that it's only abilities/users.rb that's inherited.