After doing my own research, it looks like I can approach this two ways: 1. Episode 237, Railscasts, Dynamic att_accessible, overriding mass_assignment_authorizer 2. I can use attr_accessible role, as: :admin
I would appreciate it if anyone can elaborate on the merits of either approach. On Sunday, April 29, 2012 4:48:12 PM UTC-4, Mohamad El-Husseini wrote: > > I have User, Account, and Role models. Role stores the relationship type > between Account and User. > > I know that *attr_accessible* should be blank in the Role model to > prevent attackers from changing either the role type (owner, > admin, moderator, subscriber), account, or user ids. > > But what if an admin wants to change a subscriber to a moderator? This > would raise a mass assignment security exception: > > user = User.find(params[:id]) > role = user.roles.find_by_account_id(params[:account_id]) > role.type = "admin" > > How do I solve this? One way is to create a separate model to represent > each role (owner, admin, moderator, subscriber) and use an STI type > pattern. This lets me do: > > user = User.find(params[:id]) > user.moderatorship.build(account_id: params([:account_id]) > > Tedious! I would have to create Onwership, Moderatorship, Subscribership, > etc..., and have them inherit from Role. If I want to stick to a single > Role model, how can I modify a role type without a having a mass assignment > security flaw? > > Also, I would appreciate an answer to this: Should I use a User has_many > roles (user can have a single record for each role type) or has_one role > (user can only have one role record, which must be toggled if their role > changes) pattern? > > Models: > > class User < ActiveRecord::Base > attr_accessible :name, :email > > has_many :accounts, through: roles > end > > class Account < ActiveRecord::Base > attr_accessible :title > > belongs_to :user > end > > class Role < ActiveRecord::Base > attr_accessible > end > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/lP97z64Gr8oJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
