Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

suggestion: including mass_assignment_security with cancan #533

Closed
suzi2000 opened this Issue · 0 comments

2 participants

@suzi2000

It seems to me that it may be possible to integrate the rails 3 mass assignment protection with cancan ?
https://github.com/rails/rails/blob/f69be6ae8f0a309cca59bea2526b71b1029b4beb/activemodel/lib/active_model/mass_assignment_security.rb#L205

so we could define our controllers simple, e.g. with a :default and :admin role

class AccountsController < ApplicationController
  #(cancan could include this for convenience => ) include ActiveModel::MassAssignmentSecurity
  attr_accessible :first_name, :last_name    # this is :as => :default
  attr_accessible :first_name, :last_name, :plan_id, :rating, :as => :admin
end

In cancan we would say:

class Ability
  include CanCan::Ability  

  def initialize(user)
      if user

         can [:read, :update], Accounts        # :as => default if not specified

         if user.admin?
          can :manage, Accounts, :as => :admin
        end

     end 
  end
end

cancan would sanitize the params & instance variables for us, based on the roles so the controllers don't have to change at all for mass assignment security. Is this possible or usefull?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.