Hey all, I'm trying to add authorization to a rather large app that already exists, but I have to obfuscate the details a bit.

Here's the background:

In our app we have a number or roles that are hierarchical, roughly like this:

BasicUser -> SuperUser -> Admin -> SuperAdmin

For authorization each User model instance has an attribute 'role' which corresponds to the above.

We have a RESTful controller "Users" that is namespaced under Backoffice. So in short it's Backoffice::UsersController.

class Backoffice::UsersController < ApplicationController
  filter_access_to :all
  #... RESTful actions + some others
end

So here's the problem:

We want users to be able to give permissions for users to edit users but ONLY if they have a 'smaller' role than they currently have. I've created the following in authorization_rules.rb

authorization do
  role :basic_user do
    has_permission_on :backoffice_users, :to => :index
  end
  role :super_user do
    includes :basic_user
    has_permission_on :backoffice_users, :to => :edit do
      if_attribute :role => is_in { %w(basic_user) }
    end
  end
  role :admin do
    includes :super_user
  end
  role :super_admin do
    includes :admin
  end
end

And unfortunately that's as far as I got, the rule doesn't seem to get applied.

1. If I comment the rule out, nobody can edit
2. If I leave the rule in you can edit everybody

I've also tried a couple of variations on the if_attribute:

if_attribute :role => is { 'basic_user' }
if_attribute :role => 'basic_user'

and they get the same effect. Does anybody have any suggestions?