search

stffn / declarative_authorization

An unmaintained authorization plugin for Rails. Please fork to support current versions of Rails
MIT License
1.24k stars 233 forks source link

Inconsistencies between permit and Model.with_permissions_to #201

Open hachpai opened 9 years ago

hachpai commented 9 years ago

Hello,

I've the following rule:

role :generic_user do
    has_permission_on :admin_users, :to => [:update,:show,:edit] do
      if_attribute :id => is {user.id}, :test_method => true
    end
end

test_method is defined like that:

class User < ActiveRecord::Base
  has_and_belongs_to_many :roles

  def test_method
    true
 end

  def role_symbols
    roles.select(:name).map {|r| r.name.parameterize.underscore.to_sym} << :generic_user
  end

end

If I try to access the /admin/user page, the rule is well taken in consideration, I can change the return of test_method from true to false and permit seems to make his work correctly because I get the form if true and redirected to access_denied if false.

But if I try to make

  <% User.with_permissions_to(:show, context: :admin_users).each do |u| %>
  <%= u.name %>
  <% end %>

(notice: I must set the context because my user controller is in an admin module) This fails : 

PG::InvalidTextRepresentation: ERROR:  invalid input syntax for integer: "f"
LINE 1: ...ECT "users".* FROM "users" WHERE (("users"."id" = 'f' AND "u...
                                                             ^
: SELECT "users".* FROM "users" WHERE (("users"."id" = 'f' AND "users"."id" = 'f'))

I get 't' or 'f', depending of the return value of the method.

But if I reverse the rule like this:

role :generic_user do
    has_permission_on :admin_users, :to => [:update,:show,:edit] do
      if_attribute :test_method => true, :id => is {user.id}
    end
  end

The access to the page still depends of the return value of test_method, but the with_permission_to doesn't fail and just ignore the first method part of the rule and only consider the "id is user.id" condition attribute.

I do that because I would like to define methods who would perform SQL queries to define hierarchical access rules.

Thank you for you work and future help,

PH

zeiv commented 9 years ago

I'm not sure why you're getting that behavior... the DSL is still a tad buggy, in my opinion. Can you try changing your code to

has_permission on :admin_users, :to=> [:update, :show, :edit] do
  if_attribute :test_method => true
  if_attribute :id => is {user.id}
end

and post the result? In my experience sometimes things in the DSL that should be DRY start acting strangely. In the meantime I'll see if I can figure this out... Oh, and would you mind posting your controller as well? Don't forget that you have to set :attribute_check => true

Edit: I just noticed that your post was from 6 months ago... sorry for the late reply!