On Apr 29, 9:48 pm, Mohamad El-Husseini <[email protected]> wrote: > I have User, Account, and Role models. Role stores the relationship type > between Account and User. > > I know that *attr_accessible* should be blank in the Role model to prevent > attackers from changing either the role type (owner, > admin, moderator, subscriber), account, or user ids. > > But what if an admin wants to change a subscriber to a moderator? This > would raise a mass assignment security exception: > > user = User.find(params[:id]) > role = user.roles.find_by_account_id(params[:account_id]) > role.type = "admin"
No it wouldn't. You can always to foo.bar = 'baz', whether or not the bar attribute is accessible or not. What attr_accessible controls is what would happen if you did role.update_attributes(params[:role]) Fred > > How do I solve this? One way is to create a separate model to represent > each role (owner, admin, moderator, subscriber) and use an STI type > pattern. This lets me do: > > user = User.find(params[:id]) > user.moderatorship.build(account_id: params([:account_id]) > > Tedious! I would have to create Onwership, Moderatorship, Subscribership, > etc..., and have them inherit from Role. If I want to stick to a single > Role model, how can I modify a role type without a having a mass assignment > security flaw? > > Also, I would appreciate an answer to this: Should I use a User has_many > roles (user can have a single record for each role type) or has_one role > (user can only have one role record, which must be toggled if their role > changes) pattern? > > Models: > > class User < ActiveRecord::Base > attr_accessible :name, :email > > has_many :accounts, through: roles > end > > class Account < ActiveRecord::Base > attr_accessible :title > > belongs_to :user > end > > class Role < ActiveRecord::Base > attr_accessible > end -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
