Rails CanCan Simple_form association issue -


why doesen't cancan stop dept_tech role creating users in detpartments dept_tech role has no access?

i using cancan autorization , simple_form views. have user model , department model.

class user < activerecord::base   belongs_to :department   ... end  class department < activerecord::base   has_many :departments   ... end

i have abilities model

class ability   include cancan::ability    def initialize(user)     rails.logger.debug {" >>>>>>> user id: #{user.id} ......     if user.role? :admin      ...     elseif user.role? :dept_tech       rails.logger.debug {" >>>>>>> role 6 ......       can :manage, user, :department_id => user.department_id       can :read, department, :id => user.department_id       rails.logger.debug {" >>>>>>> user.department: #{user.department_id}}     end   end  end

and user controller:

load_and_authorize_resource ... def new    respond_to |format|     rails.logger.debug {" >>>> here"}     format.html # new.html.erb   end   rails.logger.debug {" >>>> there"} end ...

there a

load_and_authorize_resource

in department controller.

and _form view helper using simple_form

<% simple_form_for @user, :html => {class => 'form-horizontal' } |f| %>   <%= f.input :email %>   rails.logger.debug {" >>>> view"}   <%= f.association :department %>   .... <% end %>

this works well, dept_tech can index , show actions department. works index, show action users. when new action on users performed collection_select department shows departments, not department of dept_tech.

the thinking dept_tech can create (manage) users of own department.

this log, shows select used without on department select, , done in view.

started "/users/new" 127.0.0.1 @ 2012-06-05 13:57:58 +0200 [2012-06-05 13:57:58 +0200] processing userscontroller#new html [2012-06-05 13:57:58 +0200]   user load (0.9ms)  select "users".* "users" "users"."id" = $1 limit 1  [["id", 2]] [2012-06-05 13:57:58 +0200]  >>>> user id: 2, user role: ["dept_tech"], roles_mask: 64 [2012-06-05 13:57:58 +0200]  >>>> role 6 [2012-06-05 13:57:58 +0200]  >>>> user.department: 2 [2012-06-05 13:57:58 +0200]  >>>> here [2012-06-05 13:57:58 +0200]  >>>> view [2012-06-05 13:57:58 +0200]   department load (0.9ms)  select "departments".* "departments"  [2012-06-05 13:57:58 +0200]   rendered users/_form.html.erb (45.7ms) [2012-06-05 13:57:58 +0200]   rendered users/new.html.erb within layouts/application (46.5ms) [2012-06-05 13:57:58 +0200]  >>>> there [2012-06-05 13:57:58 +0200] completed 200 ok in 63ms (views: 56.4ms | activerecord: 1.8ms)

the log shows not surprisingly sql gets called in view. simple_form issue? how solve?


Comments

Post a Comment

Popular posts from this blog

java - Play! framework 2.0: How to display multiple image? -

i need display gallery of photos. here template: @(photos: list[photo]) @title = { <bold>gallery</bold> } @main(title,"photo"){ <ul class="thumbnails"> @for(photo <- photos) { <li class="span3"> <a href="#" class="thumbnail"> <img src="@photo.path" alt=""> </a> </li> } </ul> } and here controller method: public static result getphotos() { return ok(views.html.photo.gallery.render(photo.get())); } and here photo bean : @entity public class photo extends model { @id public long id; @required public string label; public string path; public photo(string path, string label) { this.path = path; this.label = label; } private static finder<long, photo> find = new finder<long, photo>( long.class, photo.class); public static list<phot...
Read more

gmail - Is there any documentation for read-only access to the Google Contacts API? -

i want read-only access user's google contacts. there stackoverflow member wanted this, , received following answer : yes, there is, use https://www.googleapis.com/auth/contacts.readonly scope , "view contacts". this exchange reference read-only access google contacts can find using google. simply using access token obtained attempt read usual google contacts api (i.e. https://www.google.com/m8/feeds ) fails insufficient permissions. similarly, using google contacts api on new target fails 404 errors (for example https://www.googleapis.com/auth/contacts.readonly/default/full ). is there documentation anywhere on how use api, or permissible way access google contacts api full read-write access?
Read more

php - Controller/JToolBar not working in Joomla 2.5 -

relevant code: jtoolbarhelper::custom('savecategories', 'save', '', 'save', false, false); ... <input type="hidden" name="controller" value="easyblogcontroller"> according can dig docs , own previous questions, should call savecategories() function in easyblogcontroller . i've tried setting value easyblog , easyblog.php (file name) current easyblogcontroller (class name). clicking on save button refreshes page. not redirect, echo or var_dump test code put in savecategories() function. var_dump ing jrequest::getvar('controller') , 'task' return correct values. creating controller object , using $controller->execute('task'); works. the values going depend on location of controller trying call, , have couple options here. typically there controller in base folder of component (likely components/com_easyblog) in file called controller.php , class name inside ...
Read more