Permalink
Browse files

permissions-for-data-integrity

## Permissions for data integrity

The permissions system is not just for providing operations to some users but not to others. It is also used to prevent operations that don't make sense for anyone. For example, you've probably noticed that the default UI allows stories to be moved from one project to another. That's arguably not a sensible operation for *anyone* to be doing. Before we fix this, browse to an "Edit Story" page and notice the menu that lets you choose a different project. Now prevent the project from changing with this method in `story.rb`:

SHOW_PATCH

Refresh the browser and you'll see that menu removed from the form automatically.

The `update_permitted?` method can take advantage of the "dirty tracking" features in ActiveRecord. If you're savvy with ActiveRecord you might notice something unusual there - those `*_changed?` methods are only available on primitive fields. Hobo's model extensions give you methods like that for `belongs_to` associations too.

Now make a similar change to prevent tasks being moved from one story to another.
  • Loading branch information...
bryanlarsen authored and iox committed Jun 3, 2013
1 parent 3d4b3fe commit b5734af0a6e9dce9c88eef879e3bd4a3aba77b1d
Showing with 2 additions and 2 deletions.
  1. +1 −1 app/models/story.rb
  2. +1 −1 app/models/task.rb
View
@@ -24,7 +24,7 @@ def create_permitted?
end
def update_permitted?
acting_user.signed_up?
acting_user.signed_up? && !project_changed?
end
def destroy_permitted?
View
@@ -20,7 +20,7 @@ def create_permitted?
end
def update_permitted?
acting_user.signed_up?
acting_user.signed_up? && !story_changed?
end
def destroy_permitted?

0 comments on commit b5734af

Please sign in to comment.