search

stffn / declarative_authorization

An unmaintained authorization plugin for Rails. Please fork to support current versions of Rails
MIT License
1.24k stars 230 forks source link

Unable to check user information if user is not logged in #140

Closed oranges13 closed 12 years ago

oranges13 commented 12 years ago

We have a situation where we needed to create a pseudo-role, such that a guest user who has no other roles can see posts that belong to them.

However, we are coming across the issue that, if a user is not logged in we receive an error because it cannot find the attribute.

#in services_controller.rb
filter_access_to :show, :attribute_check => true

#in authorization_rules.rb
role :guest do
    #services
    has_permission_on :services, :to => [:create_new, :services_misc]
    has_permission_on :services, :to => [:read, :export] do
            if_attribute :supervisorID => is {user.ID}
    end 
end

As you can see our intent is to check to make sure that the record belongs to that person and they can view it. However if you are not logged in you receive this error:

undefined method `ID' for #<Authorization::AnonymousUser:0x007fe9f80a9da0>

We tried several things to force the log in first,

has_permission_on :services, :to => [:read, :export] do
     if_attribute :current_user => is {user} do   
          if_attribute :supervisorID => is {user.ID}
     end
end

This did not work

Is there a way to force log in so that the user information is then set?

stffn commented 12 years ago

This really concerns the usage. Please use the mailing list for these requests.