In Rails guide in http://edgeguides.rubyonrails.org/security.html, section 6.1, it introduces a role for attr_accessible with :as option,
attr_accessible :name, :is_admin, :as => :admin
My question is, if a user log in, where and how can I assign the user to :admin role so she/he gets the right to mass assign with attr_accessible? Also can I define my own role such as group_to_update? If it does, what should go into the definition of group_to_update?
Thanks.
You are using some technical terminology in vague ways that is making your understanding of this process muddled, so I'm going to clear up this terminology first.
where and how can I assign the user to :admin role
The 'role' used in the :as
parameter to attr_accessible
is not a user role. It is an attribute role. It means that attribute is protected from overwriting unless that role is specified in the statement that sets the attribute. So, this system is independent of any user system. Your application doesn't even need to have users to have roles in mass assignment.
can I define my own role such as group_to_update
Roles are not really "defined" in any formal sense at all. In any place that a role is expected, simply use any symbol/string (e.g. :group_to_update
) as the role. No need to specify it anywhere else ahead of time.
Here's how it works. Normally, during mass assignment of a hash to model attributes, all of the model's attributes are used as keys to the assigned hash. So if you have a Barn
model and barn
instance of it, with three attributes horse
, cat
, and rabbit
, then this:
barn.attributes = params
Is essentially the same as doing:
barn.horse = params[:horse]
barn.cat = params[:cat]
barn.rabbit = params[:rabbit]
Now, if you set any attr_accessible
on the barn model, only the attributes you set there will be updated when you use mass assignment. Example:
class Barn < ActiveRecord::Base
attr_accessible :cat
attr_accessible :rabbit
end
Then this:
barn.attributes = params
Will only do this:
barn.cat = params[:cat]
barn.rabbit = params[:rabbit]
Because only 'cat' and 'rabbit' are set to accessible ('horse' is not). Now consider setting an attribute role like this:
class Barn < ActiveRecord::Base
attr_accessible :cat
attr_accessible :rabbit, :as => :banana
end
First, note that the the role can by anything you want as long as it is a symbol/string. In this case, I made the role :banana
. Now, when you set a role on an attr_accessible
attribute, it normally does not got assigned. This:
barn.attributes = params
Will now only do this:
barn.cat = params[:cat]
But you can assign attributes using a specific role by using the assign_attributes
method. So you can do:
barn.assign_attributes(params, :as => :banana)
This will assign all normally-protected params as well as all params protected under the role :banana
:
barn.cat = params[:cat]
barn.rabbit = params[:rabbit]
So consider a longer example with more attributes:
class Barn < ActiveRecord::Base
attr_accessible :cat
attr_accessible :rabbit, :as => :banana
attr_accessible :horse, :as => :banana
attr_accessible :cow, :as => :happiness
end
Then you can use those roles when assigning attributes. This:
barn.assign_attributes(params, :as => :banana)
Corresponds to:
barn.cat = params[:cat]
barn.rabbit = params[:rabbit]
barn.horse = params[:horse]
And this:
barn.assign_attributes(params, :as => :happiness)
Corresponds to:
barn.cat = params[:cat]
barn.cow = params[:cow]
Now, if you choose to, you can make user roles (e.g. a "role" column on your User model) correspond to attribute roles on any model. So you could do something like this:
barn.assign_attributes(params, :as => user.role)
If this user
's role happens to be banana
, then (using our last model example) it will set attributes on barn for cat, rabbit, and horse. But this is just one way to use attribute roles. It is entirely up to you if you want to use them a different way.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With