0

In rails (with cancan or otherwise) I want the logged in user to be able to edit some of their database record but not all.

The database looks something like this:

User: name, password, team_id, role_id, notes
Role: name
Team: name

For instance, if the current_user (the one that is logged in) has a role of user then the only thing I want them to be able to do is change their own password. I don't want them to be able to rename themselves or change their team. I want managers to be able to add notes about themselves and other users but not other managers.

I am using a modified form of the following to do authentication:

  1. http://railscasts.com/episodes/250-authentication-from-scratch
  2. http://railscasts.com/episodes/192-authorization-with-cancan

I was thinking of adding something like the following in ability.rb:

can :edit, User, :id => user.id

My questions are as follows:

  1. How do I restrict the fields that I want them to have access to?
  2. Where should this go, I was thinking in the controller not the model. (as I think stuff that deal with the current user permissions should not be in the model layer)
James Brooks
  • 4,135
  • 4
  • 26
  • 25

2 Answers2

1

Here's something new you can take a look at, called heimdallr, which pretty much seems to do what you require. And here's an article with some info about it.

Andrei S
  • 6,486
  • 5
  • 37
  • 54
0

1 - How do I restrict the fields that I want them to have access to?

Assuming that you have the above simple implementation, I would suggest to to have a simple permission mechanism (Because I feel that CanCan is also restricting the user on editing / etc an entire record, not a part)

Your User model would be

class User < ActiveRecord::Base

  def admin?
    role_id == 1
  end

end

and when showing the columns try to use a helper method to lock the textboxes, you may have a helper like 

module UsersHelper
  def edit_name?
    current_user.admin?
  end
end

in your view

f.text_field :name, :readonly => edit_name?

Code is not perfect, but I think you get the idea!

2) user type selection (if the use is admin etc..) should go to model, because its belongs to domain login

But display/hide or active/inactive html elements are fallen in to presentation layer and better to use helper methods.

halfer
  • 19,824
  • 17
  • 99
  • 186
sameera207
  • 16,547
  • 19
  • 87
  • 152
  • Wont the `:readonly` flag only affect the view. Such that if someone changed readonly to false in chrome developer console they would still be able to edit it. – James Brooks Apr 11 '12 at 16:29