Out of the box Jifty-based applications have an ACL system. The system automatically validates ACLs on Jifty::Record objects by calling the method
current_user_can before any create, read, update, or delete operation. In all cases, the arguments passed to the CRUD operation are passed as extra arguments to current_user_can.
create(), we reject the operation if
current_user_can('create') returns FALSE.
somefieldname, we reject the operation if
current_user_can('read') returns false.
set_somefieldname, we reject the operation if
current_user_can('write') returns false.
delete(), we reject the operation if
current_user_can('delete') returns false.
Out of the box,
current_user_can returns 1. When you want to actually check ACLs, you'll need to override
current_user_can() in your
It's likely that at some point, you'll decide you want to ask other questions on certain types of operation. Say, you only want to let administrators update the
paid_account field. In that case, you'd override
check_update_rights() to look for the
admin right rather than the
update right, if the