class <%= controller_class_name %>Controller < ResourceController::Base before_filter :has_edit_permission, :only => [:edit] before_filter :has_update_permission, :only => [:update] before_filter :has_create_permission, :only => [:new, :create] before_filter :has_view_permission, :only => [:show] before_filter :has_delete_permission, :only => [:destroy] before_filter :select_viewable_objects, :only => [:index] private def select_viewable_objects #TODO: instead of Article.all, this should be chain.articles || Article.all as the case is @viewable_<%= plural_name %> = end_of_association_chain.find(:all).select {|v| (v.viewable_by?(current_user, "id")) } @viewable_<%= plural_name %> = @viewable_<%= plural_name %>.paginate(:page => params[:page], :per_page => 4) end def has_edit_permission #TODO: infer permissions from updatable_by? whether to display the field for a given attribute or not load_object if(!@<%= singular_name %>.editable_by?(current_user)) flash[:notice] = "Permision denied." redirect_to collection_url return false end true end def has_create_permission build_object load_object if(!@<%= singular_name %>.creatable_by?(current_user)) flash[:notice] = "Permision denied." redirect_to collection_url return end end def has_view_permission load_object if(!@<%= singular_name %>.viewable_by?(current_user,"id")) flash[:notice] = "Permision denied." redirect_to collection_url return end end def has_delete_permission load_object if(!@<%= singular_name %>.deletable_by?(current_user)) flash[:notice] = "Permision denied." redirect_to collection_url return end end def has_update_permission load_object #update attributes without saving to db so that we can call updatable_by? #TODO: r_c will call update_attributes again even though simple save would be sufficient after the following line @<%= singular_name %>.attributes = params[:article] if(!@<%= singular_name %>.updatable_by?(current_user,@<%= singular_name %>)) flash[:notice] = "Permision denied." redirect_to collection_url return end end end