I'm not sure if this is the right place to ask this question. If not let me know where I can post it and I will repost.
Basically, I am having trouble trying to figure out how to restrict user access to only what they are assigned to.
I am currently creating a system where users are assigned to a group and through they group they have access to communicate with each other. The way I implemented this so far was to store their assigned groups (HATBM) into a session variable and then check that variable for the group id to see if that user is assigned to that group.
def set_allowed_discussion_group_ids if current_user session[:allowed_discussion_group_ids] ||= current_user.discussion_groups.map(&:id) rescue  end end
To give an idea of my issue, if a user attempts to create a discussion the following check should run to make sure that they are allowed to start the discussion
def authorized_to_start_discussion? unauthorized_message_and_redirect unless session[:allowed_discussion_group_ids].include?(params[:discussion_group_id].to_i) end
Then again when they go to create the discussion.
def authorized_to_create_discussion? unauthorized_message_and_redirect unless session[:allowed_discussion_group_ids].include?(params[:discussion][:discussion_group_id].to_i) end
my current issue is with the second method where when I click the submit button, I get into this method and it execute this unauthorized_message_and_redirect even though the check returns true. I have been fighting with this for a while and have looked at it in many different ways and can't seem to tell what my issue is.
Is there a better way that I could implement something like this? I don't see this as being overly complicated yet I can't seem to understand what I am doing wrong.
Thanks in advance for any help.