4

I would like to use rails new dynamic attr_accessible feature. However each of my user has many roles (i am using declarative authorization). So i have the following in my model:

class Student < ActiveRecord::Base

attr_accessible :first_name, :as=> :admin

end

and i pass this in my controller:

@student.update_attributes(params[:student], :as => user_roles)

user_roles is an array of symbols:

   user_roles = [:admin, :employee]

I would like my model to check if one of the symbols in the array matches with the declared attr_accessible. Therefore I avoid any duplication.

For example, given that user_roles =[:admin, :employee]. This works:

@student.update_attributes(params[:student], :as => user_roles.first)

but it is useless if I can only verify one role or symbol because all my users have many roles.

Any help would be greatly appreciated

***************UPDATE************************

You can download an example app here: https://github.com/jalagrange/roles_test_app

There are 2 examples in this app: Students in which y cannot update any attributes, despite the fact that 'user_roles = [:admin, :student]'; And People in which I can change only the first name because i am using "user_roles.first" in the controller update action. Hope this helps. Im sure somebody else must have this issue.

jalagrange
  • 2,291
  • 2
  • 19
  • 24
  • Who could be :admin or :student? I guess that a user has to be assigned a role first (either as :admin or :student) before its role could be verified for proper right. – user938363 Dec 09 '11 at 18:45
  • Yes, completely true. A user is first assigned a role. Personally I use "Declarative Authorization". Therefore all of my users have a certain role associated to them. This is because Declarative authorization has a method called "role_symbols" which returns an array of symbols just like "user_roles" in the example above. – jalagrange Dec 12 '11 at 20:22

1 Answers1

1

You can monkey-patch ActiveModel's mass assignment module as follows:

# in config/initializers/mass_assignment_security.rb

module ActiveModel::MassAssignmentSecurity::ClassMethods

  def accessible_attributes(roles = :default)
    whitelist = ActiveModel::MassAssignmentSecurity::WhiteList.new
    Array.wrap(roles).inject(whitelist) do |allowed_attrs, role|
      allowed_attrs + accessible_attributes_configs[role].to_a
    end
  end

end

That way, you can pass an array as the :as option to update_attributes

Note that this probably breaks if accessible_attrs_configs contains a BlackList (from using attr_protected)

axelarge
  • 947
  • 1
  • 9
  • 11
  • ok, this could work. Where should i do this? in a new model file? in the configuration? thnxs – jalagrange Sep 27 '11 at 19:03
  • @jalagrange You can put this inside a file in config/initializers. It will be loaded when rails starts. The file name is not important. – axelarge Sep 28 '11 at 11:23
  • Hello @axelarge, I just tried this and it doesnt work :-(. Im doing exactly as stated in my question: passing ":as => user_roles" which conatains an array of symbols: user_roles = [:admin, :employee]. Any other suggestions? – jalagrange Sep 28 '11 at 23:06
  • @jalagrange That is strange, I set up an example app and it worked for me. Maybe you can post the relevant parts of your model and controller on https://gist.github.com/ or some such? – axelarge Sep 29 '11 at 07:55
  • sorry @axelarge, Ive been away for the last couple of weeks, thank you for all the help, I will post my code in a couple of hours. Maybe you can post your example app too. Il let you know when its ready – jalagrange Oct 14 '11 at 21:27
  • Hello @axelarge, I have just created a [Git repo](https://github.com/jalagrange/roles_test_app). There you will find my example code which does not work. There are 2 examples: **Students** in which y cannot update any attributes, despite the fact that 'user_roles = [:admin, :student]'; And **People** in which I can change only the first name because i am using "user_roles.first" in the controller update action. Hope this helps. Im sure somebody else must hace this issue. – jalagrange Oct 31 '11 at 19:16