Grant access to nested resources over can can

[sebastianzillessen]

Hi there,

I have a platform where we have Users (devise). Then we have Courses an admin can add a user to a course to be a moderator, each Course has many Videos.

How can I manage it, to get the following approach working:

resources :courses do
    resources :videos, except: [:index]
end

A moderator of a course should be able to add videos (nested routes, so we have courses/2/videos/new as a route). But no other user should be able to add a video to a course where he is not moderator.

The abilities are managed over an database model (Permission) like suggested in the wiki.

What I have so far is:

# Allow all users who can read a course to read the videos of this course as well.
can :read, Video do |video|
  can? :read, video.course
end

# allow a moderator of a course to manage videos in this course
# THIS IS NOT WORKING SO FAR
can :manage, Video do |video|
  can? :moderate, video.course
end

The last ability is not working because if my controller starts the action, the course is somehow not set for that video

 # GET /videos/new
 def new
  # @course is set by the nested routing
  @video = Video.new(course: @course)
 end

Any ideas?