Use scope access

16

Dislike

ihower Posted by ihower on July 20, 2010

You can use scope access to avoid checking the permission by comparing the owner of object with current_user in controller.

If you check the permission by comparing the owner of object with current_user, it's verbose and ugly, you can use scope access to avoid this.

Bad Smell

class PostsController < ApplicationController
  def edit
    @post = Post.find(params[:id])
    if @post.user != current_user
      flash[:warning] = 'Access denied'
      redirect_to posts_url
    end
  end
end

In this example, we compare the user of post with current_user, if the condition returns false, do not allow user to edit the post. But it's too verbose to do this permission check for edit, update, destroy and etc. Let's use scope access to refactor.

Refactor

class PostsController < ApplicationController
  def edit
    # raise RecordNotFound exception (404 error) if not found
    @post = current_user.posts.find(params[:id])
  end
end

So we find the post only in current_user.posts that can promise the post is owned by current_user, if not, a 404 error will be raised.

We have no needs to compare the owner with current_user, just use scope access to make permission check simpler.

implemented
controller
related best practices:

Comments

wuyh Posted by wuyh on 2010-07-30T02:47:36Z

good idea!

Romain Tribes Posted by Romain Tribes on 2010-10-04T07:53:57Z

I add that when you use custom finders, they return nil by default.
Adding a bang will cause them to raise RecordNotFound exception.

Example :


class TeamInvitationsController < ApplicationController
  
  # Invitation confirmation (user come from a link in the mail).
  # GET /teams/:team_id/invitations/:id/:secret_key
  def confirm
    @team       = Team.find(params[:team_id])
    @invitation = @team.team_invitations.find_by_id_and_secret_key!(params[:id], params[:secret_key])
    
    @invitation.confirm! if @invitation.confirmable?
    
    redirect_to(edit_team_path(@team))
  end
  
end

flyerhzm Posted by flyerhzm on 2010-10-04T08:14:21Z

@Romain, raise RecordNotFound exception is what we expected as the page current user visit is not in the resources that current user can visit.
You can add a global logic in app/controllers/application_controller.rb to catch the RecordNotFound exception and render 404 page to user. Here is an example

# app/controllers/application_controller.rb
rescue_from ActiveRecord::RecordNotFound do |exception|
  render_404
end

def render_404(exception = nil)
  if exception
    logger.info "Rendering 404 with exception: #{exception.message}"
  end

  respond_to do |format|
    format.html { render :file => "#{Rails.root}/public/404.html", :status => :not_found, :layout => false }
    format.xml  { head :not_found }
    format.any  { head :not_found }
  end
end

Romain Tribes Posted by Romain Tribes on 2010-10-04T09:23:19Z

@ flyerhzm : Yes, it's the goal. ;)
My point was to illustrate that finders can mimic the behaviour of find.
The tips with the bang is not well known.
Post a comment

  1. Note: if you are a registered user, you can log in without input username.

    2. You may use ONLY these HTML tags to format your comment:

    <a href="" title=""> <b> <blockquote> <pre> <code> <em> <i> <strong>

    Use <pre><code>...</code></pre> for multi-line codes.

    Do not use <p> tags. Just use newlines.

Fork me on GitHub