ruby on rails - How to update a resource as current user or a non-user? -



ruby on rails - How to update a resource as current user or a non-user? -

in application have next resources post , user. want user able update own post , invitee post , want invitee able update other invitee post not users. invitee non-user (@post.user.blank).

post model belongs_to :user # columns: user_id, name, body end user model has_many :posts end

my controller confused because i'm not sure how create updating post can done current user or invitee without allowing update anyones post. user updating users post.

def update @post = post.find(params[:id]) if @post.update(post_params) redirect_to @post else render action: 'edit' end end def post_params params.require(:post).permit(:name, :body) end

i thinking of doing:

def update @post = post.find(params[:id]) if @post.user == current_user or @post.user.blank? if @post.update(post_params) redirect_to @post else render action: 'edit' end end end

but i'm not sure how safe is. seems user can users post.

is right? how this?

my approach utilize custom validation 'update_user' additional attribute on memory follows:

class post < activerecord::base belongs_to :user attr_accessor :update_user validate :validate_user_scope, on: :update private def validate_user_scope if !(user.blank? || user == update_user) errors.add(:update_user, :not_permitted) end end end class user < activerecord::base has_many :posts end

this merit is, of course, check logic done under rails validation @ model level (not controller).

user's access scope (or access permission) should 1 of "business logic" , "business logic" should 1 of model logic write in model level, think.

i think user2784630's check logic @ next fragment should ok:

if @post.user == current_user or @post.user.blank?

but, if worry comprehensiveness of logic, let's write test or rspec. next illustration of test/models/post_test.rb fixtures:

require 'test_helper' class posttest < activesupport::testcase ... # test of posts of guest, user-a, , user-b updated # guest, user-a, , user-b test "update invitee post user_a" p = posts(:guest_post) p.update_user = users(:user_a) assert p.valid? end ... end

ruby-on-rails ruby ruby-on-rails-4

Comments

Post a Comment

Popular posts from this blog

java Multi query from Mysql using netbeans -

java Multi query from Mysql using netbeans - i have java code retrieve info mysql appropriate code in netbeans.the code below. want multi query such illustration finding total number of products , on.could help me please. in advance import java.sql.*; public class javamysqlselectexample { public static void main(string[] args) { seek { string mydriver = "com.mysql.jdbc.driver"; string myurl = "jdbc:mysql://localhost/sample"; class.forname(mydriver); connection conn = drivermanager.getconnection(myurl, "root", "mypasscode1"); string query = "select * products"; statement st = conn.createstatement(); resultset rs = st.executequery(query); while (rs.next()==true) { int code = rs.getint("code"); string productname = rs.getstring("product_name"); string producttype = rs.getstring("product_type"); system.out.format(" %d, %s, %s\n", code, pr
Read more

c# - DotNetZip fails with "stream does not support seek operations" -

c# - DotNetZip fails with "stream does not support seek operations" - i using dotnetzip in c# unzip stream follows: public static void unzipfromstream(stream stream, string outdir) { //omit seek grab block using (zipfile zip = zipfile.read(stream)){ foreach (zipentry e in zip){ e.extract(outdir, extractexistingfileaction.overwritesilently); } } } stream obtained using webclient client = new webclient(); stream fs = client.openread(url); however, got next exception exception during extracting zip stream system.notsupportedexception: stream not back upwards seek operations. @ system.net.connectstream.get_position() @ ionic.zip.zipfile.read(stream zipstream, textwriter statusmessagewriter, encoding encoding, eventhandler`1 readprogress) on server side(asp.net mvc 4), returning filepathresult or filestreamresult both caused exception. should obtain stream differently on client side? or how create server homec
Read more

c++ - StartServiceCtrlDispatcher don't can access 1063 error -

c++ - StartServiceCtrlDispatcher don't can access 1063 error - i write on c++ service , have error, , don't can fixed it. my service main function int main (int argc, tchar *argv[]) {dword f; for(int i=0;i<113;i++) f = getlasterror(); servicepath = lptstr(argv[0]); outputdebugstring(_t("my sample service: main: entry")); //installservice(); service_table_entry servicetable[] = { {service_name, (lpservice_main_function) servicemain}, {null, null} }; // startservice(); if(!startservicectrldispatcher(servicetable)) { f = getlasterror(); //addlogmessage("error: startservicectrldispatcher"); } else if( memcmp(argv[argc-1],"install",7)) { installservice(); } else if( memcmp(argv[argc-1],"remove",6)) { removeservice(); } else if( memcmp(argv[argc-1],"start",5)) { startservice(); } else if( memcmp(argv[argc-1],"stop",4))
Read more