permissions-for-data-integrity

## Permissions for data integrity The permissions system is not just for providing operations to some users but not to others. It is also used to prevent operations that don't make sense for anyone. For example, you've probably noticed that the default UI allows stories to be moved from one project to another. That's arguably not a sensible operation for *anyone* to be doing. Before we fix this, browse to an "Edit Story" page and notice the menu that lets you choose a different project. Now prevent the project from changing with this method in `story.rb`: SHOW_PATCH Refresh the browser and you'll see that menu removed from the form automatically. The `update_permitted?` method can take advantage of the "dirty tracking" features in ActiveRecord. If you're savvy with ActiveRecord you might notice something unusual there - those `*_changed?` methods are only available on primitive fields. Hobo's model extensions give you methods like that for `belongs_to` associations too. Now make a similar change to prevent tasks being moved from one story to another.
Hobo · Nov 14, 2011 · ef816e4 · ef816e4
1 parent b8bf595
commit ef816e4
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/app/models/story.rb b/app/models/story.rb
@@ -22,7 +22,7 @@ def create_permitted?
   end
 
   def update_permitted?
-    acting_user.signed_up?
+    acting_user.signed_up? && !project_changed?
   end
 
   def destroy_permitted?

diff --git a/app/models/task.rb b/app/models/task.rb
@@ -19,7 +19,7 @@ def create_permitted?
   end
 
   def update_permitted?
-    acting_user.signed_up?
+    acting_user.signed_up? && !story_changed?
   end
 
   def destroy_permitted?