I have User, Account, and Role models. Role stores the relationship type between Account and User.
I know that *attr_accessible* should be blank in the Role model to prevent attackers from changing either the role type (owner, admin, moderator, subscriber), account, or user ids. But what if an admin wants to change a subscriber to a moderator? This would raise a mass assignment security exception: user = User.find(params[:id]) role = user.roles.find_by_account_id(params[:account_id]) role.type = "admin" How do I solve this? One way is to create a separate model to represent each role (owner, admin, moderator, subscriber) and use an STI type pattern. This lets me do: user = User.find(params[:id]) user.moderatorship.build(account_id: params([:account_id]) Tedious! I would have to create Onwership, Moderatorship, Subscribership, etc..., and have them inherit from Role. If I want to stick to a single Role model, how can I modify a role type without a having a mass assignment security flaw? Also, I would appreciate an answer to this: Should I use a User has_many roles (user can have a single record for each role type) or has_one role (user can only have one role record, which must be toggled if their role changes) pattern? Models: class User < ActiveRecord::Base attr_accessible :name, :email has_many :accounts, through: roles end class Account < ActiveRecord::Base attr_accessible :title belongs_to :user end class Role < ActiveRecord::Base attr_accessible end -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/sEc1RkV7VisJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
