Role in trestle

[qkhuyit]

How to custom trestle-auth by Role, Role Group . ..v..v..
Thks

[spohlenz]

This isn't currently possible but should hopefully be very soon (I'm planning on working on it within the next couple of weeks).

[IanMitchell]

Would love to see this too! Been trying to have content editors / 'true' administrators, and some things are a little tricky to do

[wanxsb]

looking forward to this

[McRipper]

Could be nice to have an idea on how to start so we can help

[brunitob]

This is important!

[brandondrew]

Any word on this?

[stydav]

Is this possible yet?

[hdbreaker]

Hi guys! There is any new about this issue? I will love to add some roles to my panel in order to show or hide menus in relation with user roles.

[McRipper]

I found a way, and it's also pretty straightforward. It's just an idea but I tested it and it works.

Let's use the Pundit gem, remember that roles must be managed separately.

inside an admin resource, take Customer for example:

Trestle.resource(:customers) do

  ...

  controller do
    
    include Pundit

    after_action :verify_authorized

    def index
      authorize Customer
      super
    end

    def show
      authorize instance
      super
    end

  end

end

Remember to create a policy for the customer, an easy one would be:

class CustomerPolicy < ApplicationPolicy
  class Scope < Scope
    def resolve
      scope.all
    end
  end

  def index?
    true
  end

  def show?
    false
  end

end

Adding some config to the controller could help, instead of opening all the methods of the controller, maybe @spohlenz could give us some ideas when he sees this solution, it seems that everything is inherited from "Trestle::AdminController" and "Trestle::ResourceController"

Hope this help!

[Protoplaste]

Hi, just wanted to ask if there is any news on this or is the pundit still the best way?

[uaru]

I needed to have this role based support, and using @McRipper suggestion is easy enough.

The only difficulty I found was how to apply Scope policies when the resolve method is more complicated than

def resolve
    scope.all
end

It can be applied in the index, as usual, however, it is important to know that the @collection is what we need to modify.

Trestle.resource(:customers) do
  ...
  
  controller do
    include Pundit::Authorization

    after_action :verify_authorized, except: :index
    after_action :verify_policy_scoped, only: :index
   
    def index
      @collection = policy_scope @collection
    end
    ...

If we want to totally cut off some classes of users from seeing the list of resources, we could

Trestle.resource(:customers) do
  ...
  
  controller do
    include Pundit::Authorization

    after_action :verify_authorized, except: :index
   
    def index
      authorize Customer
    end

By using both authorize and policy_scope we can prevent any access to some users, and limit what the other can see. Very flexible.

This way of using pundit is the easiest very straightforward, but it has its drawbacks. When the controller's index method is called, the collection is already loaded and prepared. E.g. authorize will prevent from displaying the collection data to the user, but it will not prevent reading it all from the database. So from the purely performance point of view it could be better to call the authorize and policy_scope at the beginning of Trestle::Resource::Collection.prepare method, or even better, search adapter.