Understanding custom content access control
The Redmine access control layer is modeled around controlling access to RESTful routes. Although this approach allows us to manage access to content areas, it falls short when it comes to actually locking down access to content itself.
The case study we're going to explore adds an additional layer of security to our knowledgebase plugin by restricting access to specific categories as well as the articles contained within those categories.
The first step we need to take is to decide how we're going to add our new permission. Ruby on Rails applications are very easy to extend using Rubygems (visit http://rubygems.org), and there are a number of access control gems available on GitHub that allow for some extremely complex permissions and access management schemes.
Instead of adding a new dependency to Redmine via an external library, since our needs are relatively simple, we're just going to extend our category model with a user whitelist.
The goals...
