Devise current_user vs user_id passed in params, nested resources update action

Question

I am using Devise for authentication. I have two models where a user has one profile and profile belong to user:

class User < ActiveRecord::Base
  has_one :profile, dependent: :destroy 
end 

class Profile < ActiveRecord::Base
  belongs_to :user
end

I am using nested resources e.g.

resources :users do
  resource :profile
end

To create a new user profile I use the prefix new_user_profile_path(current_user) that routes to prifile#new etc

To update a user profile I do the following

# e.g. users/123/profile
current_user.profile.update(profile_params)

This doesn't feel right because I am not using the user_id => 123 in profile params. Should I be finding the user profile by user_id instead e.g.

@profile = Profile.find_by(user_id: params[:user_id])
@profile.update(profile_params)

Additionally, user's cannot edit other users' profile.

Thanks for the feedback.

http://weblog.jamisbuck.org/2007/2/5/nesting-resources – max Oct 08 '16 at 23:58 — max, Oct 08 '16 at 23:58

score 1 · Answer 1 · answered Oct 09 '16 at 00:30

current_user.profile.update(profile_params) is an acceptable way of updating the profile for the current user.

This also helps secure the profile from being edited by another user. If you base the user ID on params passed in from the query string, that is insecure and would allow any logged in user to be able to update another users profile.

For example, using restful routes anyone with access could post to /users/profiles/:id even if it wasn't their own ID.

current_user is an instance of the User model, and already contains the user_id attribute.

This makes a lot of sense and I actually excluded the user_id from permitted params. — Elvyn Mejia, Oct 09 '16 at 00:44

Devise current_user vs user_id passed in params, nested resources update action

1 Answers1