I have a resource database where resources can belong to different locations. Users and groups (self-referential user table) can have different roles on different locations. Groups can be inside other groups. Authorization works well for single users using ‘if_attribute’ to check if the location_id is among the location_ids that the user is allowed to show, edit, etc.:
has_permission_on :locations do
to [:show, :new, :create, :edit, :update, :destroy]
if_attribute :id => is_in { (user.permissions.where(:role => "admin").collect {|i| Location.find_by_id(i.location_id).subtree_ids}.flatten.uniq )}
end
Since the groups can be “nested” inside each other, I have figured that I’ll have to use a recursive method to find all the “legal” location ids. I tried this:
has_permission_on :locations do
to [:show, :new, :create, :edit, :update, :destroy]
if_attribute :id => is_in { (user.permissions.where(:role => "admin").collect {|i| Location.find_by_id(i.location_id).subtree_ids} + find_group_location_ids(user)).flatten.uniq }
end
with the method defined outside the ‘authorization do’-routine:
def find_group_location_ids(user)
location_ids = []
nested_group_location_ids(user)
def nested_group_location_ids(user)
user.group_memberships.each do |gm|
location_ids = location_ids + gm.user.location.id
nested_group_location_ids(gm.user)
end
end
return location_ids
end
The problem is that the method call doesn’t find the method. I get this error:
NoMethodError (undefined method `find_group_location_ids’ for (Authorization::Engine::AttributeValidator:0x7fb63448e2b0)
I have tried to place the method definition on a lot of different places, but with no luck.
How can I use if_attribute to see if an id is inside an array from a recursive method?
I got som help from steffenb at the declarative_authorization group at google groups (he is the author of declarative_authorization). The solution was to move the method to the user model:
and to call it in this way from autorization_rules.rb: