From b5734af0a6e9dce9c88eef879e3bd4a3aba77b1d Mon Sep 17 00:00:00 2001 From: Bryan Larsen Date: Mon, 3 Jun 2013 16:38:23 +0200 Subject: [PATCH] permissions-for-data-integrity ## Permissions for data integrity The permissions system is not just for providing operations to some users but not to others. It is also used to prevent operations that don't make sense for anyone. For example, you've probably noticed that the default UI allows stories to be moved from one project to another. That's arguably not a sensible operation for *anyone* to be doing. Before we fix this, browse to an "Edit Story" page and notice the menu that lets you choose a different project. Now prevent the project from changing with this method in `story.rb`: SHOW_PATCH Refresh the browser and you'll see that menu removed from the form automatically. The `update_permitted?` method can take advantage of the "dirty tracking" features in ActiveRecord. If you're savvy with ActiveRecord you might notice something unusual there - those `*_changed?` methods are only available on primitive fields. Hobo's model extensions give you methods like that for `belongs_to` associations too. Now make a similar change to prevent tasks being moved from one story to another. --- app/models/story.rb | 2 +- app/models/task.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/models/story.rb b/app/models/story.rb index bd9f96e..1d84850 100644 --- a/app/models/story.rb +++ b/app/models/story.rb @@ -24,7 +24,7 @@ def create_permitted? end def update_permitted? - acting_user.signed_up? + acting_user.signed_up? && !project_changed? end def destroy_permitted? diff --git a/app/models/task.rb b/app/models/task.rb index e641251..a7559f8 100644 --- a/app/models/task.rb +++ b/app/models/task.rb @@ -20,7 +20,7 @@ def create_permitted? end def update_permitted? - acting_user.signed_up? + acting_user.signed_up? && !story_changed? end def destroy_permitted?