Rails 3: accept all params except a specific value

I have a Rails 3.2.13 Application to maintenance.

Because of authorization rules i want to limit the find(params[:file_registry_id]) method to accept all parameters except 752. (Only user tehen should be able to get it.)

def show
  if current_user.tehen?
    @file_registry = FileRegistry.find(752) 
  else  
    @file_registry = FileRegistry.find(params[:file_registry_id])
  end
  @rubric = Rubric.find(params[:id])
  @rubrics = expanded_rubrics @rubric.ancestors_with_self.collect(&:id)
  set_favorites
  render :action => 'index'
end

Is there a method available to filter an element (here id 752) from the params hash? Or what's the best way to go?

Solved

Simple solution:

def show
 @file_registry = get_file_registry
 #....
end

private

def get_file_registry
  if current_user.tehen?
    FileRegistry.find(752) 
  else
    unless params[:file_registry_id] == FORBIDDEN_ID_FOR_GUEST
     FileRegistry.find(params[:file_registry_id])
    else
     false
    end
  end
end

FORBIDDEN_ID_FOR_GUEST should be defined outside of the controller, for example inside of a initializer.

But I suggest to use a authorization library like CanCan (https://github.com/ryanb/cancan) where you can define permissions for every use case.

Diệp Viên blog

Search This Blog

Rails 3: accept all params except a specific value

Solved

Comments

Post a Comment