Home/ Questions/Q 6006131
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T01:29:45+00:00

I have various roles defined by CanCan in my rails application. I recently implemented

  • 0

I have various roles defined by CanCan in my rails application. I recently implemented jQuery UI autocomplete and it works well. The problem is that when I submit the form, the find_by_name that occurs in the model can find records that do not belong to the current_user. I have the following in my view:

<strong><%= f.label :inventory_name, "Material" %></strong>
<%= f.text_field :inventory_name, :class => "inputbox" %><br>

And my jQuery looks like:

jQuery("input[id$=_inventory_name]").autocomplete({
  source: '/ajax/inventory',
  minLength: 2
});

Then I have an ajax controller that does the right thing:

def inventory
  inventory = Inventory.accessible_by(current_ability)
  if params[:term]
    like= "%".concat(params[:term].concat("%"))
    names = inventory.where("name LIKE ?", like)
  else
    names = inventory
  end

  list = names.map {|u| Hash[ :id => u.id, :label => u.name, :name => u.name]}
  render :json => list
end

But my model does not:

def inventory_name=(name)
  inventory = Inventory.find_by_name(name)
  if inventory
    self.inventory_id = inventory.id
  else
    errors[:inventory_name] << "Invalid name entered"
  end
end
def inventory_name
  Inventory.find(inventory_id).name if inventory_id
end

find_by_name will return the first match it finds regardless of who owns it. Ideally I’d like to change:

inventory = Inventory.find_by_name(name)

to

inventory = Inventory.accessible_by(current_ability).find_by_name(name)

But that violates the principles of MVC not to mention the model has no access to current_ability, current_user or the like. So my question is, how to I move this logic into my controller where I have access to these things? I can’t seem to wrap my head around it 🙁

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I ended up needing both a before and after filter:

    after_filter :save_new_project_inventory, :only => [:create]
before_filter :update_project_inventory, :only => [:create, :update]


    private
def save_new_project_inventory
  # do this in an after filter so that
  # we will have a project.id
  @project_inventories.each { |key, value|
    value[:project_id] = @project.id
    ProjectInventory.create!(value)
  }
end

def update_project_inventory
  @project_inventories = {}
  params[:project][:project_inventories_attributes].each { |key, value|
    if value[:_destroy] != "false"
      project_inventory = ProjectInventory.find(value[:id])
      project_inventory.delete
    else
      if value[:id]
        project_inventory = ProjectInventory.find(value[:id])
        project_inventory.inventory_id = inventory_name(value[:inventory_name])
        project_inventory.save
      else
        if @project.nil?
          # can't save here because we need a project.id that we
          # won't have until after we save, so finish up in the
          # after filter
          @project_inventories[key] = {
            :inventory_id => inventory_name(value[:inventory_name])
          }
        else
          project_inventory = ProjectInventory.new
          project_inventory.inventory_id = inventory_name(value[:inventory_name])
          project_inventory.project_id = params[:id]
          project_inventory.save
        end
      end
    end
  }
  params[:project].delete(:project_inventories_attributes)
end

def inventory_name(name)
  inventories = Inventory.accessible_by(current_ability)
  inventory = inventories.find_by_name(name)
  if inventory
    inventory.id.to_s
  end
end

    I’m not sure if it is the best way to do it, but it works.

    • 0