Ensuring access restrictions in models, views, and controllers
Now that we know how to declare and apply permissions for our plugin, we need to ensure that those permissions are honored in the context we intended.
Checking if the current user has the permission to perform a specific action is done using the allowed_to? function of the User model, the syntax for which is as follows:
allowed_to?(action, context, options={}, &block)The action parameter of this method can either take a parameter Hash (such as :controller => "project", :action => "edit") or a permission Symbol (for example :edit_project).
There is also a User model method, allowed_to_globally?, that uses the same syntax, which is used to check for global permissions.
Note that, as model methods, neither allowed_to? nor allowed_to_globally? are used to actually restrict access to content areas based on defined permissions but are used to test a user instance to see if they have the permission to a content area. For example...
