I have everything working correctly, but now I want to limit some user Abilities to perform some attachment actions.
Specifically, the ability to limit the viewing of all uploaded attachments, to those actually uploaded by the User.
Here is the applicable snippet from ability.rb I tried ...
if user.id
can :access, :ckeditor
can [:read, :create, :destroy], Ckeditor::Picture, assetable_id: user.id
can [:read, :create, :destroy], Ckeditor::AttachmentFile, assetable_id: user.id
end
The situation arises when I am using the CKeditor UI, click the Image button, and then click the Browse Server button to see the previously uploaded images -- right now the image browser shows the uploads of all users. I would like the viewed images to be limited to those of the current_user only.
Since the Ckeditor table saves the assetable_id of the attachment (i.e. the user.id), and the logic above does not work on its own, I'm guessing some custom Controller logic is also needed here.
Thanks.
I was able to solve this issue with custom Ckeditor controllers & some guidance from here: https://github.com/galetahub/ckeditor/issues/246
First I needed to make copies of the Ckeditor controllers pictures_controller.rb & attachment_files_controller.rb and place them here:
/app/controllers/ckeditor/
Then a few updates to their suggestions to update index were necessary, particularly picture_model.find_all needed to be picture_adapter.find_all in pictures_controller.rb (and similarly attachment_file_adapter.find_all in attachment_files_controller.rb)
The key to it all is setting the proper scope with: ckeditor_pictures_scope(assetable_id: ckeditor_current_user) & ckeditor_attachment_files_scope(assetable_id: ckeditor_current_user)
Once these revisions are in place, the file browsers for pictures & attachments show only the appropriate files for that user.
Here are the revised files ... the changes are on line 4 of both.
/app/controllers/ckeditor/pictures_controller.rb
class Ckeditor::PicturesController < Ckeditor::ApplicationController
def index
@pictures = Ckeditor.picture_adapter.find_all(ckeditor_pictures_scope(assetable_id: ckeditor_current_user))
@pictures = Ckeditor::Paginatable.new(@pictures).page(params[:page])
respond_with(@pictures, :layout => @pictures.first_page?)
end
def create
@picture = Ckeditor.picture_model.new
respond_with_asset(@picture)
end
def destroy
@picture.destroy
respond_with(@picture, :location => pictures_path)
end
protected
def find_asset
@picture = Ckeditor.picture_adapter.get!(params[:id])
end
def authorize_resource
model = (@picture || Ckeditor.picture_model)
@authorization_adapter.try(:authorize, params[:action], model)
end
end
/app/controllers/ckeditor/attachment_files_controller.rb
class Ckeditor::AttachmentFilesController < Ckeditor::ApplicationController
def index
@attachments = Ckeditor.attachment_file_adapter.find_all(ckeditor_attachment_files_scope(assetable_id: ckeditor_current_user))
@attachments = Ckeditor::Paginatable.new(@attachments).page(params[:page])
respond_with(@attachments, :layout => @attachments.first_page?)
end
def create
@attachment = Ckeditor.attachment_file_model.new
respond_with_asset(@attachment)
end
def destroy
@attachment.destroy
respond_with(@attachment, :location => attachment_files_path)
end
protected
def find_asset
@attachment = Ckeditor.attachment_file_adapter.get!(params[:id])
end
def authorize_resource
model = (@attachment || Ckeditor.attachment_file_model)
@authorization_adapter.try(:authorize, params[:action], model)
end
end