I'm using declarative authorization to manage users rights in an application.
I have a post model, which is manageable by it's owner.
has_permission_on :post, :to => :manage do
if_attribute :creator_id => is{user.id}
end
However, I also have the following in my model :
class Post < ActiveRecord::Base
def publish!
update_attributes(:published, true)
end
end
I want to allow some users, whom aren't the creators of the post to publish it.
I can't just allow them to update the object though, they aren't supposed to be able to change other fields than the publication status.
There doesn't seem to be a way to allow editing only some fields in a model though.
I've fixed the problem by using model authorizations and controller ones.
I allow all creators and administrators to edit a post.
Then, in the controller, I specify that only post creators can access the update action, and only administrators can access the publish action.