On Jan 15, 6:06 pm, Robert Walker <[email protected]> wrote: > Andrew France wrote: > > On Jan 15, 7:15 am, Robert Walker <[email protected]> wrote: > >> This was what I was referring to when mentioning not seeing the benefit. > >> How is this any safer than update_attributes coupled with > >> attr_accessible or attr_protected? > > > The benefit for me is that I only want certain attributes to be > > updated in certain controller contexts. I may have several attributes > > on the user model that only the root user can update so I would set > > them to protected in the model and can override it in the controller > > when the user is root. > > Thanks for explaining. I was trying to figure out what benefit you were > gaining by this. That clears things up a bit. I haven't used it myself, > but I have heard of a model level authorization framework called > Lockdown. Maybe it's something you could look at to see if it servers > your needs. > > http://github.com/stonean/lockdown
Thanks Robert, I had a look at the documentation for Lockdown. Like similar authorization frameworks (I use declarative_authorization) it seems to support model level access where I can control which users can do what CRUD actions on specific models, but not the actual attributes that are set. I don't really expect auth frameworks to support such a low-level (and rare?) problem. Cheers for the help. Andrew
-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
