1

In my app I have note.rb with the schema shown below. What I am trying to do is restrict the ability to edit notes. Basically if the note has been created in the last 24 hours, you are allowed to update whatever you want. After 24 hours, all you can do is change the remind_at time. I have a method in the note.rb file that checks if the note is editable. If it is I display different partials. But that only restricts the front end, if someone has left the edit window open, or types in the URL, they can still edit the note after 24 hours.

What I am attempting to do is write a before_update method that checks if you are allowed to update the body of the note or not. No matter what you can update the remind_at time. Part of the problem is that the way the controller knows whether or not this is simply a change to the remind_at time is via params[:reschedule] and params are not accessible in the model. 

# == Schema Information
#
# Table name: notes
#
#  id                :integer          not null, primary key
#  body              :text
#  remind_at         :datetime
#  created_at        :datetime
#  updated_at        :datetime

# Only allow editing of notes that are less that 1 day old
  def editable?
    self.created_at > (Time.now-1.day)
  end
Zack
  • 2,377
  • 4
  • 25
  • 51
  • 1
    Could you test for the reschedule by looking to see if the remind_at changes (no longer use reschedule)? If not, add an attr_accessor to the model to allow the reschedule param to pass through. Also, you can delete params in the controller if the !model.editable?, so it won't submit them at all when you try to update. Lastly, you might want to add a validation so it throws an error - you may not want this if there is an admin way of editing notes. – Mark Swardstrom Mar 19 '15 at 17:54
  • 1
    Can't you just check if `remind_at_changed?` in your `before_update`? – faiakism Mar 19 '15 at 17:56
  • @faiakism & @Swards how would I then fail out of the method? Given that certain conditions are met in the model, how do I block the update from occurring? Is there a way to `fail` out or do I just `raise` an error? – Zack Mar 19 '15 at 18:04
  • 1
    If you do this in a `before_update` you could return `false` and abort the latter callbacks. I am not sure you want to do this though. You might want to add a validation and handle it from your controller to also show an appropriate error message. On the other hand as @Swards said that would be problematic if you have an admin way of editing. Maybe a custom validation checking this? – faiakism Mar 19 '15 at 18:08

2 Answers2

1

I don't understand, the model shouldn't have to look at params[:reschedule] to know if it's "simply a change to the remind_at time" -- the model is the thing being changed, it should be able to look at what's actually being changed and make sure it's only remind_at.

Looking at params[:reschedule] wouldn't be right even if you could easily do it -- as conceivably params[:reschedule] could be set at the same time other attributes were being modified, and you wouldn't want to allow that either. The only point to doing this in the model is not to trust the controller is doing the right thing (and has no security holes), but to ensure that only what's actually allowed is being done.

Which if I understand right, what's allowed is changing no attributes but remind_at, if created_at is past a certain time.

So what you really need to do is just look at what attributes have changed in a validation hook?

I believe the changed method should work to do that. It return a list of changed attributes since the last save. If the post is too old, you want to make sure they include include nothing but remind_at.

Does that work? 

 if self.created_at > (Time.now-1.day) &&
    self.changed.find {|k| k.to_s != "remind_at"}
         # BAD, they're trying to save some other attribute changed
 end

http://api.rubyonrails.org/classes/ActiveModel/Dirty.html#method-i-changed

jrochkind
  • 22,799
  • 12
  • 59
  • 74
0

if its mass assignment..then include the attribute in attr_accessible or else set it explicitly in controller or model

Milind
  • 4,535
  • 2
  • 26
  • 58