Home/ Questions/Q 3272158
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T18:47:52+00:00

I have a model that looks something like this: class Comment < ActiveRecord::Base …

  • 0

I have a model that looks something like this:

class Comment < ActiveRecord::Base
  ...
  #allow editing comment if it is moderated and the user passed-in
  #is the one that owns the comment
  def can_edit?(user)
    moderated? and user.Type == User and user.id == self.user_id
  end
  ...
end

And a call in a view:

<%= link_to 'Show Comment', @comment if @comment.can_show?(current_user) %>

I need to write many such methods in many different models – sort of validation checks to see if current_user is allowed to
do something on a model.

But it feels cumbersome – especially the need to check that the passed-in user is indeed a object of type User.

What’s a clean, best-practice way to do this sort of thing? Am I on the right track? (i.e. should I be adding such methods to a model or somewhere else)

Note

I am using scoped queries to get the comments and other models, but in some cases I cannot scope the query so I have to use the can_xxxx? methods

Ps. Is what I’m doing considered a "fat model"?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Create a module containing all the authorization methods and include the module to all the classes requiring authorization.

    Add a file called authorization.rb to app/models directory.

    module Authorization

  def can_edit?(user)
    moderated? and user.is_a?(User) and user.id == self.user_id
  end

  def self.included(base)
    base.send(:extend, ClassMethods)
  end

  module ClassMethods
    # add your class methods here.
  end
end

    Add a file called authorization.rb to config/initializers directory.

    %w(
 Comment
 Post
).each do |klass|
  klass.constantize.include(Authorization)
end

    Now Comment and Post models will have all the authorization methods.

    Other approach is to use your current named_scope.

    class Post
  named_scope :accessible, lambda { |user|
    {
      :conditions => { :user_id => user.id, :moderated => true}
    }
  }
end

    Post controller actions 

    class PostsController

  def index
    @posts = Post.acessible(current_user)
    # process data
  end

  def show
    # throws record not found when the record is not accessible.
    @post = Post.acessible(current_user).find(params[:id])
    # process data
  end

end

    I like this approach as it uses the same logic for accessing an array of objects or a single object.

    You can add the named_scope to the module to avoid repeated definitions:

    module Authorization
  def self.included(base)
    base.named_scope :accessible, lambda { |user|
      {
        :conditions => { :user_id => user.id, :moderated => true}
      }
    }
  end

  module ClassMethods
    # add your class methods here.
  end
end

    Make sure to include the module in required classes as suggested earlier.

    • 0