Astorian
2007-Dec-10 18:33 UTC
Validate Object Ownership (user_id) in model, or in controller?
Quick best practices question ... I have a number of models with a user_id attribute I am using the acts_as_authenticated plugin which lets you use something like current_user to extract the current user from the session. I have used this in my controllers successfully. Would it be "wrong" to use this as a model validation? How would I make this accessible to the model? I can''t seem to get it to work from within a model. I''d like to write something that checks every model update, and verifies ownership (previous owner is current owner) Thanks in advance for your help --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Stephan Wehner
2007-Dec-10 19:47 UTC
Re: Validate Object Ownership (user_id) in model, or in cont
Astorian wrote:> Quick best practices question ... > > I have a number of models with a user_id attribute > > I am using the acts_as_authenticated plugin which lets you use > something like current_user to extract the current user from the > session. I have used this in my controllers successfully. > > Would it be "wrong" to use this as a model validation? How would I > make this accessible to the model? I can''t seem to get it to work from > within a model. > > I''d like to write something that checks every model update, and > verifies ownership (previous owner is current owner) > > Thanks in advance for your helpYou are saying there is a user_idcolumn? A model validation like this makes sense to me: validates_each :user_id do |record, attr_name, value| record.errors.add(attr_name, ''cannot be changed by current user'') unless User.current.id = value end User.current is supposed to give you the currently logged in user. You would need to initialize the user_id on creation to pass this test. Stephan -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Charles
2007-Dec-10 20:41 UTC
Re: Validate Object Ownership (user_id) in model, or in cont
current_user is provided by acts_as_authenticated through the following method: def current_user @current_user ||= (session[:user] && User.find_by_id(session[:user])) || :false end Because of the sessions usage, I don''t think you want to use model validation. In the controllers you can do current_user.widgets.find() (instead of just Widget.find() ) which will only bring up authenticated items, thanks, C. On Dec 10, 2:47 pm, Stephan Wehner <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Astorian wrote: > > Quick best practices question ... > > > I have a number of models with a user_id attribute > > > I am using the acts_as_authenticated plugin which lets you use > > something like current_user to extract the current user from the > > session. I have used this in my controllers successfully. > > > Would it be "wrong" to use this as a model validation? How would I > > make this accessible to the model? I can''t seem to get it to work from > > within a model. > > > I''d like to write something that checks every model update, and > > verifies ownership (previous owner is current owner) > > > Thanks in advance for your help > > You are saying there is a user_idcolumn? > > A model validation like this makes sense to me: > > validates_each :user_id do |record, attr_name, value| > record.errors.add(attr_name, ''cannot be changed by current user'') > unless User.current.id = value > end > > User.current is supposed to give you the currently logged in user. > > You would need to initialize the user_id on creation to pass this test. > > Stephan > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Stephan Wehner
2007-Dec-10 22:44 UTC
Re: Validate Object Ownership (user_id) in model, or in cont
Charles wrote:> current_user is provided by acts_as_authenticated through the > following method: > > def current_user > @current_user ||= (session[:user] && > User.find_by_id(session[:user])) || :false > end >The implementation of this current_user method could be changed when the notion of current-user changes. At the moment, it looks like the current user is the one who is logged in through cookies/sessions, and the form of the restriction being sought looks to me to go by the idea of a "current user". I would prefer not having to remember to use the "current-widgets finder", when there is another way. Stephan -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---