On Nov 1, 9:44 am, David Lowenfels <[EMAIL PROTECTED]> wrote: > Maybe I'm misunderstanding the context, but why not just secure your > model through the has-many association? It's the most basic security > idiom and is built-in.
I suggested this to my team lead originally. However, in our app there are a lot of models, and multiple tiers of access. So, it's a minor headache for us to manually secure everything that way. But, you're right, associations and lambda'd named_scopes are the least surprising way to accomplish this. Thankfully, the ScopedAccess stuff is built-in to Rails and does the same thing as acts_as_row_secure in a standard way. So, it's just as viable as an association and a sane compromise. This idiom basically prevents us from having to type in accessible_by(@current_user) on nearly every model in our controllers. > BTW A pattern I seen if you really need to have the model access the > current user is to use a class attribute accessor in a before filter. That is a good point about using the User model cattr_accessor instead of a library class for current_user. Having the UserContext class serve as a session proxy doesn't really sit right with me either. That UserContext business is only needed for acts_as_row_secured because you can't really access a defined superclass of ActiveRecord when you're defining a mixin for ActiveRecord itself. This is a big reason _not_ to use acts_as_row_secured. UserContext is essentially a dirty hack to sneak session data references into the ActiveRecord definition itself which violates MVC and forces you to have to set global constants when using a model anywhere outside of a controller. This technique is used in all over the place in ad hoc PHP apps which is why it seems wrong to me. Tony --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
