Forum: Ruby on Rails Overriding ActiveRecord associations for special cases

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Andrew F. (Guest)
on 2009-03-16 16:41
(Received via mailing list)
Hi,

Does anyone know a good way to override AR associations to take
special cases into account. My current take is the example below which
allows the 'root' user to access all products, but only works if I
remember to call it with a .all/.find or similar method:
'user.products.all' instead of 'user.products'. Ideally I guess I want
to return a proxy object that represents all products. Any ideas?

class User
  has_many :products

  def root?
    id == 1
  end

  def products_with_root
    if root?
      Product # Better way?
    else
      products_without_root
    end
  end
  alias_method_chain :products, :root
end

Best regards,
Andrew F.
"Wolas!" (Guest)
on 2009-03-16 18:31
(Received via mailing list)
I think you have a design problem here. Access controll should be
handled in the controller, not the model.

besides, having

def root?
    id == 1
  end

i believe is a very bad bad idea, maybe im wrong. any opinions anyone?
"Wolas!" (Guest)
on 2009-03-16 18:44
(Received via mailing list)
sorry, didint mention why it was a bad idea. Just in case the root
user changes id. or someone can modify the parameters and pretend to
be of id 1. and probably for som many reasons i forgot right now.
Andrew F. (Guest)
on 2009-03-16 20:01
(Received via mailing list)
On Mar 16, 4:30 pm, "\"Wolas!\"" <removed_email_address@domain.invalid> wrote:
> I think you have a design problem here. Access controll should be
> handled in the controller, not the model.

Thanks for replying. I don't know, I figure that the model is already
deciding which users are associated with which products and expanding
this to handle a special case is a logical extension that saves
putting business logic in the controllers. Although I will probably
have to revert to that as a fully-working solution.

> besides, having
>
> def root?
>     id == 1
>   end
>
> i believe is a very bad bad idea, maybe im wrong. any opinions anyone?

> sorry, didint mention why it was a bad idea. Just in case the root
> user changes id. or someone can modify the parameters and pretend to
> be of id 1. and probably for som many reasons i forgot right now.

Not sure if these can be justified as since by the definition above if
the root user changes their ID they are no longer the root user and if
somebody can pretend to be other user IDs on a system I think it has
bigger problems! Please let me know if you remember the other ones as
security is of course important. Thanks.

Andrew
"Wolas!" (Guest)
on 2009-03-17 12:18
(Received via mailing list)
> Not sure if these can be justified as since by the definition above if
> the root user changes their ID they are no longer the root user

and you would have NO root user in the system. If you have a system,
where only root users can grant root access to other users you would
have locked yourself out of your system.

Migrating to another db where there is already data or for some reason
it decides not to assign an id of 1. then you find yourself in the
same situation as before.

if you want to rely on a unique piece of info (that will not change
with time, or migrations or other db situations) maybe name if it is
unique or a boolean saying :admin => true

it is quite common in our projects that we put:

class User
    DEV = ["wolas", "foo", "abr"]

   def developer?
      DEV.include? name
   end

   def admin?
     developer? || super
   end

end

respect to your original issue. i dont think that is business logic
but mroe access control, which should be handled in the model. As in,
root users can see all products but no other so:

def index
  @proucts = if current_user.root?
      Product.all
   else
      current_user.products
   end
end
This topic is locked and can not be replied to.