Simple problem I can't figure out.
I am trying to get the boolean: if "@patient.clinicians".include?("current_clinician") to work.
I have a has_many :through relationship between 'Clinician', and 'Patient' with a joined model 'CareGroupAssignment'.
I am trying to set up authorization so that only clinicians that are connected with a patient through a care_group_assignments table are able to view a patient's profile.
clinician.rb (simplified)
class Clinician < ActiveRecord::Base
belongs_to :care_group
has_many :patients ,:through=> :care_group_assignments
has_many :care_group_assignments, :dependent => :destroy
belongs_to :user
accepts_nested_attributes_for :user, :allow_destroy => true
end
patient.rb
class Patient < ActiveRecord::Base
belongs_to :care_group
has_many :clinicians ,:through=> :care_group_assignments
has_many :care_group_assignments
belongs_to :user
accepts_nested_attributes_for :user, :allow_destroy => true
end
care_group_assignments.rb
class CareGroupAssignment < ActiveRecord::Base
belongs_to :clinician
belongs_to :patient
end
I first tried to follow solutions from various questions (18799934 and 10729609) to get this to work but failed so far.
in I am trying to implement the authorization in PatientsController:
def show
puts params.inspect
@patient = Patient.find_by(id: params["id"])
@shared = @patient.care_group_assignments
if current_clinician
if "@patient.clinicians".include?("current_clinician")
else
redirect_to patients_path, notice: "You tried to access information you do not have authorization for"
end
else
if @patient.id == current_user.patient.id
else
redirect_to root_path, notice: "You tried to access information you do not have authorization for"
end
end
end
current_clinician is defined in my ApplicationController as:
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
helper_method :current_user
before_action :require_user
helper_method :current_clinician
before_action :require_clinician
def current_user
@current_user ||= User.find_by!(auth_token: cookies[:auth_token]) if cookies[:auth_token]
end
def require_user
if current_user.nil?
redirect_to new_session_path
end
end
def current_clinician
current_user.clinician
end
def require_clinician
if current_clinician.nil?
redirect_to new_session_path
end
end
end
Right now if a clinician that is connected to a patient goes to the patients profile they still get redirected away.
Rails 4.1.8, ruby 2.2.1p85, PostgreSQL
Thanks
Aucun commentaire:
Enregistrer un commentaire