if_attribute on declarative authorization

Question

I have a many-to-many relationship like this: A user has_many organizations through affiliations and vice-versa.

I'm using declarative organizations and I only want a user to edit a particular organization if he is affiliated and the affiliationtype attribute of affiliation is a particular value.

So affiliations has 3 columns , user_id, organization_id and affiliationtype_id

I can do:

o = Organization.find(:first)
o.affiliatons[0].user and get the user

now I wish to do this:

has_permission_on [:organizations], :to => :edit do
  if_attribute (...)
end

That if_attribute should see if the current user is the organization.affiliation[?].user and if the organization.affiliation[?].affiliationtype_id = "3"

I hope this is syntax issue ... I really need to get this working.

Answer 1

EDIT:

You can restrict the type of affiliation with intersects_with(&block) :

  has_permission_on [:organizations], :to => :edit do
    if_attribute :affiliations => intersects_with {
      user.affiliations.with_type_3
    }
  end

Why not create a named_scope to find affiliations whose affiliationtype_id = 3?

---

From declarative_authorization documentation:

To reduce redundancy in has_permission_on blocks, a rule may depend on permissions on associated objects:

authorization do
  role :branch_admin do
    has_permission_on :branches, :to => :manage do
      if_attribute :managers => contains {user}
    end

    has_permission_on :employees, :to => :manage do
      if_permitted_to :manage, :branch
      # instead of
      #if_attribute :branch => {:managers => contains {user}}
    end
  end
end