Rails how to restrict attribute updates

Question

I got an Object, Rating, with 2 fields, user_id and value.

class CreateRatings < ActiveRecord::Migration[5.1]
     def change
       create_table :ratings do |t|
          t.belongs_to :user
          t.integer :user_id
          t.decimal :value
       end
     end
end

On create i want to set user_id and value to the given values from the Controller:

@rating = Rating.create(user_id: 1, value: 2)

But after i created it, it should not be possible to change the user_id attribute. Just the value attribute. So after that:

@rating.update(user_id: 2, value: 3)

@rating.user_id should still return 1, but value should be 3.

My idea was to use before_update to revert the changes, but that does not look right to me.

Is the another way to do it?

i hope i could make it more clear whats my problem..

Thanks

Update

The Controller looks like this:

  def create
     Rating.create(rating_params)
  end

   def edit
     Rating.find(params[:id]).update(rating_params)
   end

   private

   def rating_params
      params.require(:rating).permit(:user_id, :value)
   end

This sounds like a complete mess to me... Why do you have **two** columns for what should clearly be a single boolean attribute? Do not not `permit` certain attributes, or have some `policies` in place for certain user roles..... Most importantly though, you need to *show us your code*. We cannot answer this question in its current vague form. — Tom Lord, Oct 27 '17 at 13:41
Possible duplicate of [In Rails, how do I limit which attributes can be updated, without preventing them from being created?](https://stackoverflow.com/questions/13735935/in-rails-how-do-i-limit-which-attributes-can-be-updated-without-preventing-the) — Ioane Sharvadze, Oct 27 '17 at 13:53
@TomLord: `changeable` and `not_changeable` are likely just terribly chosen fake names for real attributes. `photo` and `email`, for example. — Sergio Tulentsev, Oct 27 '17 at 14:01
@SergioTulentsev: thats that i ment. didnt realise it utill the awnser. — Clemny, Oct 27 '17 at 14:04
@IoaneSharvadze: Thanks thats what i was looking for, didnt found it before. — Clemny, Oct 27 '17 at 14:05
@Clemny You almost certainly shouldn't be preventing changing attributes **in the model**! You need to put this logic *in the controller*. Do you have a controller action that's updating this record? Can you show us? — Tom Lord, Oct 27 '17 at 14:05
@Clemny: those answers are from 5 years ago. not sure about `attr_readonly`, but `attr_accessible` is no longer in rails. — Sergio Tulentsev, Oct 27 '17 at 14:05

score 1 · Accepted Answer · answered Oct 27 '17 at 14:05

You could do that with some strong_params. Simply don't allow user_id when updating. Something along these lines:

class RatingsController
  def create
    @rating = Rating.create(create_rating_params)
    ...
  end

  def update
    @rating = Rating.find(params[:id])
    @rating.update_attributes(update_rating_params)
    ...
  end

  private

  def create_rating_params
    params.require(:rating).permit(:user_id, :value)
  end

  def update_rating_params
    params.require(:rating).permit(:value)
  end
end

Rails how to restrict attribute updates

Update

1 Answers1