-
Notifications
You must be signed in to change notification settings - Fork 230
Authorization of Functionality
The authorizations described in the help cover authorization of controller actions and model instances. But what if you want to have a mixed authorization system that includes authorization of features that are part of your views?
For example: You want to allow your blog users to see a list of other blog users, and your blog admins to be able to impersonate (i.e. post a blog for) other users.
Let’s create a role titled “impersonate_user”. The User::role_symbols function should include “impersonate_user” in the roles for users we want to allow impersonation.
Then in your view simply wrap a block of code in the view with has_role?( :impersonate_user )
You do not have to modify anything in authorization_rules.rb, unless you also want that role to include access to other controllers, actions, or instances.