Where and how to assign a user :admin role for attr_accessible in rails 3.1?

Question

In Rails guide in http://edgeguides.rubyonrails.org/security.html, section 6.1, it introduces a role for attr_accessible with :as option,

attr_accessible :name, :is_admin, :as => :admin

My question is, if a user log in, where and how can I assign the user to :admin role so she/he gets the right to mass assign with attr_accessible? Also can I define my own role such as group_to_update? If it does, what should go into the definition of group_to_update?

Thanks.

Answer 1

You are using some technical terminology in vague ways that is making your understanding of this process muddled, so I'm going to clear up this terminology first.

where and how can I assign the user to :admin role

The 'role' used in the :as parameter to attr_accessible is not a user role. It is an attribute role. It means that attribute is protected from overwriting unless that role is specified in the statement that sets the attribute. So, this system is independent of any user system. Your application doesn't even need to have users to have roles in mass assignment.

can I define my own role such as group_to_update

Roles are not really "defined" in any formal sense at all. In any place that a role is expected, simply use any symbol/string (e.g. :group_to_update) as the role. No need to specify it anywhere else ahead of time.

Here's how it works. Normally, during mass assignment of a hash to model attributes, all of the model's attributes are used as keys to the assigned hash. So if you have a Barn model and barn instance of it, with three attributes horse, cat, and rabbit, then this:

barn.attributes = params

Is essentially the same as doing:

barn.horse = params[:horse]
barn.cat = params[:cat]
barn.rabbit = params[:rabbit]

Now, if you set any attr_accessible on the barn model, only the attributes you set there will be updated when you use mass assignment. Example:

class Barn < ActiveRecord::Base
    attr_accessible :cat
    attr_accessible :rabbit
end

Then this:

barn.attributes = params

Will only do this:

barn.cat = params[:cat]
barn.rabbit = params[:rabbit]

Because only 'cat' and 'rabbit' are set to accessible ('horse' is not). Now consider setting an attribute role like this:

class Barn < ActiveRecord::Base
    attr_accessible :cat
    attr_accessible :rabbit, :as => :banana
end

First, note that the the role can by anything you want as long as it is a symbol/string. In this case, I made the role :banana. Now, when you set a role on an attr_accessible attribute, it normally does not got assigned. This:

barn.attributes = params

Will now only do this:

barn.cat = params[:cat]

But you can assign attributes using a specific role by using the assign_attributes method. So you can do:

barn.assign_attributes(params, :as => :banana)

This will assign all normally-protected params as well as all params protected under the role :banana:

barn.cat = params[:cat]
barn.rabbit = params[:rabbit]

So consider a longer example with more attributes:

class Barn < ActiveRecord::Base
    attr_accessible :cat
    attr_accessible :rabbit, :as => :banana
    attr_accessible :horse, :as => :banana
    attr_accessible :cow, :as => :happiness
end

Then you can use those roles when assigning attributes. This:

barn.assign_attributes(params, :as => :banana)

Corresponds to:

barn.cat = params[:cat]
barn.rabbit = params[:rabbit]
barn.horse = params[:horse]

And this:

barn.assign_attributes(params, :as => :happiness)

Corresponds to:

barn.cat = params[:cat]
barn.cow = params[:cow]

Now, if you choose to, you can make user roles (e.g. a "role" column on your User model) correspond to attribute roles on any model. So you could do something like this:

barn.assign_attributes(params, :as => user.role)

If this user's role happens to be banana, then (using our last model example) it will set attributes on barn for cat, rabbit, and horse. But this is just one way to use attribute roles. It is entirely up to you if you want to use them a different way.