I think this question is so simple, that I am at a loss for how to google it.
In RoR, if I have a protected attribute like :premium or :admin, and I only want to change it if a User does something specific (signs up for premium account or something as simple as provides a phone number), how would I do that? It should only change if certain conditions are met, but I don’t want someone to be able to fake those conditions.
I understand that things like “premimum” or “admin”, I want to avoid through mass assignment. So how do you change it if a user fills out a certain form?
Feel free to direct me to any useful links, I just cannot figure out how to word this, but I think it’s a simple solution.
Read about Mass Assignment
You can create roles
When calling
.update_attributes(params)on this model, it will use the default role; if:premiumis found inparams, it will throw an error.In the
POSTmethod for your special form, you’d specify the:specialrole for theupdate_attributeslike.update_attributes(params, :special), directing theupdate_attributesto use the:specialrole which allows the mass assignment of the:premiumattribute.You can conditionally pass the role name based on some property in
params, like the phone number having a value like you mentionedIf these conditions are more complex, you might consider adding them as a class method to the model
and then the
update_attributesmight look like