Rails - Nov 2006 - Blocking/accepting params according to @member.admin?

I have a submission form that displays additional fields if the 
logged-in member is an admin. To be secure, I don''t want these 
particular params to be accepted at all (when the form is submitted) if 
the member isn''t an admin. Any thoughts on how to do this? The model 
doesn''t seem the correct place to mess with params (what I want is like
attr_protected, but according to @member.admin). I''m not interested in 
having separate views/controllers for basically the same form.

Thanks,
Joe

-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

If the parameters are associated with a model, like a submissions
title, dates, etc, they could be edited in the model itself.  I have a
model and put all its editing in the validate() method.  Even some
control-only parameters (not stored in the DB as member attributes) are
defined in the attr_accessor/acccessible sections, and are passed from
the view.  It works well, as I don''t have to worry about any validation
code in the views/controllers.  I figure every object validates itself.

If you took this approach, you can try a control-only variable on the
form @member_level which stores the current member level, and have an
accessor for it in the submission model.  then add any code in the
validate() method which checks the member_level.  This is assuming its
up to the submission to know what each member-level can do to it.

As far as not showing the fields on the view for non-admins, just put
the code in a partial and check it there.  You can call the partial
from any controllers view.  I have a shared view folder and call it
from different views:
<%= render :partial => ''shared/top_menu'' %>


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hey,

see: http://blog.caboo.se/articles/2006/06/11/stupid-hash-tricks

HTH,
Trevor

On 7-Nov-06, at 1:21 PM, Joe Ruby MUDCRAP-CE wrote:
>
> I have a submission form that displays additional fields if the
> logged-in member is an admin. To be secure, I don''t want these
> particular params to be accepted at all (when the form is  
> submitted) if
> the member isn''t an admin. Any thoughts on how to do this? The
model
> doesn''t seem the correct place to mess with params (what I want is
> like
> attr_protected, but according to @member.admin). I''m not
interested in
> having separate views/controllers for basically the same form.
>
> Thanks,
> Joe
>
> -- 
> Posted via http://www.ruby-forum.com/.
>
> 
--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

One correction to my previous post... I went back and checked the
code... I don''t get the member_level value from the form.  Ths would be
insecure as anybody can pass a higher level.  I get the member.id from
session[:member_id] and look up the user in the DB and retrieve the
member_level.  You can also store it in session[:member_level].

Bart


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---