I'm trying to add filter_access_to with attribute_check: true but my model, Assignment, is nested on Project and I want to check that the current user is assigned to the project so he/she can update the assignments (i.e. all the assignments, not just a specific one) on the project.
I have the next permission:
has_permissions_on :assignment do |a|
to :read
if_attribute :user, is { user }
end
And in my controller:
filter_access_to :all, require: :manage, context: :assignment, attribute_check: true
The problem is that I can't access the index page because it doesn't find the assignment's id.
My models are:
class User < ActiveRecord::Base
has_many :assignments
has_many :projects, through: :assignments
end
class Project < ActiveRecord::Base
has_many :assignments
has_many :users, through: :assignments
end
class Assignment < ActiveRecord::Base
belongs_to :user, inverse_of: :assignments
belongs_to :project, inverse_of: :assignments
end
Unless you have a very specific need to use filter_access_to, you can use filter_resource_access (see docs) instead and specify :nested_in option.
Simply change your filer_access_to line with the following (or similar):
filter_resource_access nested_in: :projects
If you really want to continue using filter_access_to, then you need to create an instance of Assignment associated with Project and assign it to @assignment instance variable in a before_filter. This is what Declarative Authorization does under the hood when you use filter_resource_access.