Authorisation

Hi,

So I have got an application that has the following authorisation roles:

• Admin
• Owner
• Member
• Manager

And my application has to serve multiple clients. So each user has a role that is scoped to a particular client. Classic multi-tenant app.

I have this initialiser:

config.authorization_method = Proc.new { |controller, action, resource| datatable_authorization_method(controller, action, resource) }

And this on my application controller:

  def datatable_authorization_method(controller, action, resource)
    datatable = controller.instance_variable_get(:@datatable)

    return true if datatable.blank? # We are in one of our own controllers; so permissions are handled in BaseController.
    return true if datatable.attributes[:require_role].blank?

    # We are in Effective::DatatablesController
    case datatable.attributes[:require_role]
    when :owner
      return current_user.account_owner?(current_account)
    when :admin
      return current_user.account_admin?(current_account)
    when :manager
      return current_user.account_manager?(current_account)
    when :member
      return current_user.account_member?(current_account)
    else
      raise NotImplementedError.new
    end

And I instantiate an effective datatable like this:

def index
    @contracts_table = ContractsDatatable.new(self, account_id: current_account.id, require_role: :manager)
end

And it works fine, so far. But I think it is a little bit hacky to have that datatable = controller.instance_variable_get(:@datatable). I was wondering if the @datatable could be one of the arguments that are passed to the authorization_method. So that it would be like this:

config.authorization_method = Proc.new { |controller, action, resource, datatable| datatable_authorization_method(controller, action, resource, datatable) }

That way I can be confident that it will not break. What do you think? Or if you could suggest a different alternative.