Spencer's Profile

Comments by Spencer

Spencer on #386 Authorization from Scratch Part 2 (pro) 2012-11-02 14:26:02

Figured out the answer to my problem....I forgot to override @current_resource

          controllers/users_controller.rb
        
def current_resource
    @current_resource ||= current_user
end

Spencer on #386 Authorization from Scratch Part 2 (pro) 2012-10-30 01:49:01

Can anyone point me in the right direction? I want to allow a user to only show, edit, update, or destroy their own user resource? I've implemented the @current_user caching from rails cast #274 Remember Me & Reset Password

          application_controller.rb
        
private 
  def current_user
    @current_user ||= User.find_by_auth_token!(cookies[:auth_token]) if cookies[:auth_token]
  end
def current_resource
    nil
  end
  
  def authorize
    if current_permission.allow?(params[:controller], params[:action], current_resource)
      current_permission.permit_attr! params
    else
      if current_user
        flash[:alert] = 'Not Authorized'
        redirect_to home_path
      else
        session[:protected_page] = request.fullpath
        flash[:alert] = 'Please Login'
        redirect_to root_url
      end
    end
  end

          member_permission.rb
        
module Permissions
  class MemberPermission < BasePermission
    def initialize(user)
      allow :sessions,        [:new,:create,:destroy]
      allow :password_resets, [:new,:create,:edit,:update]
      allow :users,           [:new,:create]
      allow :users,           [:show,:edit,:update,:destroy] do |current_user|
        current_user.id == user.id
      end
      allow :interests,       [:new, :create]
      allow :interests,       [:edit, :update, :destroy] do |interest| 
        interest.user_id == user.id 
      end
      allow_attr :user,       [:email, :zip_code]
    end
  end
end

I get caught in an infinite redirect loop when a normal user tries to show their own user profile. Any tips or suggestions would be appreciated. Mahalo