[rspec-users] [rails] An authorization question
pat.maddox at gmail.com
Tue Mar 3 12:32:33 EST 2009
On Mon, Mar 2, 2009 at 8:35 PM, Stephen Eley <sfeley at gmail.com> wrote:
> On Mon, Mar 2, 2009 at 5:16 PM, Zach Dennis <zach.dennis at gmail.com> wrote:
>> Forgot to mention what we did do. We ended up with the following...
>> def index
>> if user.has_role?("admin")
>> elsif user.has_role?("associate")
>> raise AccessDenied
> That seems sort of backwards to me. These aren't the user's invoices,
> right? They're just invoices which the user happens to be allowed to
> see? Chaining it this way makes it look like the invoices *belong* to
> the role, and seems put the user up front instead of the invoices.
> You also have conditional branching with hardcoded values, making the
> controller brittle, and some redundancy with the controller asking the
> model for a value and then passing the value right back to the model.
Agreed. I have a similar example in a blog post:
More information about the rspec-users