Comments (15)
Hey, @parc64.
AG will only inherit from roles which also apply to the user.
So in your example if your user has a role
set to admin
, it won't match with role staff
because it expects staff
to be inside the role
attribute.
You should update the less important roles to also apply to admins, like this:
role :staff, proc { |user| user.role == "staff" || user.role == "admin" } do
this way admin will still have permissions granted by staff and will override them if there are any more important permissions in role :admin
from access-granted.
Hello @pokonski ,
Ok that makes sense. It would be nice to update the docs to show this example. The way the docs are now, it's difficult to understand if the gem is doing this behind the scenes or if the user needs to knit these together as your example shows. The docs also talk about the order of the roles in the access_policy.rb file, does the gem actually use the order for anything, or is that just a suggested good practice?
Thanks!
from access-granted.
You are absolutely right, it isn't backed by an example, but only a short sentence. I will expand that :)
And yes order is important because the first role which has a permission you are checking will stop further checks. So if a top role has 'cannot' defined for a permission, then Access Granted will not check the remaining roles.
from access-granted.
The order is explained in the Readme here https://github.com/chaps-io/access-granted/blob/master/README.md#roles-in-order-of-importance
from access-granted.
awesome, thank you
from access-granted.
Correct me if I'm wrong, but cant I set-up per-object permissions rather than roles and grant users access using something like bitmask?
from access-granted.
@rozhok you don't have to use roles. You can have one role for everything and do whatever check you like inside the can
block.
from access-granted.
Oh really, missed last example, got it.
Okay, but it's not the best way to do that, isn't it?
from access-granted.
AG is made specifically to utilize roles, if you don't have roles then yes - it might not be the best way.
from access-granted.
I want roles, but I don't want inheritance. Is there way to avoid it?
from access-granted.
Yes, roles only inherit each other if they apply to the user.
For example this policy:
role :admin_role, proc { |user| user.role == :admin } do
(... some permissions here..)
end
role :regular_role, proc { |user| user.role == :regular } do
(...)
end
for an admin user like this
current_user.role #=> :admin
will not inherit permissions from regular_role
because that role is not matching the user at all (it would only match if the conditions were satisfied.
but If you'd like admins to inherit permissions from regular roles you could write a condition proc that matches admins, like this:
role :admin_role, proc { |user| user.role == :admin } do
(... some permissions here..)
end
role :regular_role, proc { |user| user.role == :regular || user.role == :admin } do
(...)
end
You have full control over how roles match, so you can construct any inheritance you want.... or no inheritance at all.
I hope that example explains it this time.
from access-granted.
Oh, finally got it.
Thanks!
from access-granted.
Awesome, let me know if AG turned out to be useful 😄
from access-granted.
Everything works as excepted! Awesome. Using it in prod now.
from access-granted.
@rozhok fantastic! I do love hearing success stories :D
from access-granted.
Related Issues (20)
- Permissions with blocks work too persmissive (block is ignored) HOT 4
- Replacement for accessible_by HOT 9
- Can we use with `gem 'role_model'` HOT 5
- Block in role always evaluating true HOT 5
- Caching accesses. HOT 4
- errors with non-logged in users HOT 3
- Error when there is no user logged in HOT 1
- Able to access protected controller actions HOT 2
- permission always uses conditions hash when passed a Class as subject HOT 7
- Support for introspection HOT 11
- Object and Subobject HOT 1
- Feature request: special handling for nil current_user? HOT 16
- README should provide promised "cannot" example. HOT 5
- How to setup access_policy.rb when roles are not part of a user model? HOT 3
- Support for :all HOT 1
- Undefined method with ViewComponents HOT 4
- class inheritance, and class as test subject HOT 4
- Class vs Instance subjects HOT 7
- Is this project dead? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from access-granted.