Use roles in your rails models for mass assignment

As you probably know, with ActiveRecord (more exactly ActiveModel), you can whitelist some fields of your models so they are safe to be mass-assigned from a form.

Sometimes, you want some fields to be alterable by normal users, and other fields to be alterable by admins.

What I did in this case for a long time was to use slice on the params hash or create a if / else statement if the user is admin then individually assign each field.

ActiveModel provide us a much better way to to this.

Let’s assume you have a User model :

class User < ActiveRecord::Base

  attr_accessible :bio

  def role
    self.admin ? :admin : :default
  end
end

You can mass assign the bio field. There is also a role method that will tell us if the user is an admin or a default user.

Now imagine you want your admin users to be able to update other fields, for example, the login field.

Thanks to ActiveModel, we can do that with roles using the as option.

class User < ActiveRecord::Base
  attr_accessible :bio, :as => [:default, :admin]
  attr_accessible :login, :as => [:admin]

  def role
    self.admin ? :admin : :default
  end
end

Now, it’s easy to update the attributes of your model :

user.update_attributes(params[:user], :as => @current_user.role)

Only the fields accessible by the role of the current user will be updated, magic !

Since this features come in the ActiveModel interface, it also work for Mongoid and other ActiveModel based ORMs, priceless.

 
18
Kudos
 
18
Kudos

Now read this

My Ruby on Rails Stack

For deploying Ruby on Rails apps to production, I’ve previously used many different tools to get an idea of what will suit me the most. Today, I think I’ve found what I wanted, so I’d like to share this with you, as picking around on the... Continue →