Role-based authorization by fields

I was going to use the ember-can add-on to manage User’s access. It seems like its implementation supposes the authorizations to be applied by actions (like edit, delete, create, manageSomeThing, etc…). But what to do if I need to apply the restrictions by fields and not by actions? For example,

  • if the user is Student, he/she can only read the value of field ‘A’
  • if the user is Teacher, he/she can edit the value of field ‘A’.

and so on for other fields of a form. In the beginning, I believed to simply enable/disable the submit button of the form. Now the client would like to manage it by fields by making them disabled/enabled depending on the User role. It seems a little bit verbose to check on all the pages and for every field the User role, IMHO.

What do you think? Is there a better solution?

If you didn’t want to use ember-can for this you could write a custom helper (I did something like this in an app called i-am) that just returns true/false based on a given role or list of roles e.g.:

<input disabled={{not (i-am 'Teacher' 'Admin')}} ...>


<input disabled={{i-am 'Student'}} ...>

The downside is you’re baking a lot of role-specific stuff right into your templates so if the roles every changed you’d have to go through the app and find all the places where you use logic like this.

Thank you @dknutsen for the reply. I’ll think about it. I think I’ll stick with the ember-can’s way and just disable a field(s) based on a User role in the templates. Another problem will be to manage it on the backend (with Rails Pundit) gem.