允许用户仅编辑Ruby on Rails上的一些字段

Question

How can I achieve that an user could only edit some fields from a record?

For example:

A user can register on the system and select and specify username, password, etc. But a registered user can only edit his name, email and password, not his username.

I have a partial _form, which I use for new and edit functions. The partial looks like this:

    <% form_for @user do |f| %>
    <%= f.error_messages %>
    <p>
            <%= f.label :gruebl_employee_id %><br />
            <%= f.collection_select(:firma_employee_id, FirmaEmployee.find(:all).sort_by{|p| p.lastname.downcase},:id,:full_name, {  :include_blank => "---keine Mitarbeiter---", :prompt => "---Bitte auswählen---"}, { :style => "width: 332px;"}) %>
        </p>
         <%= observe_field(:user_firma_employee_id,
         :frequency => 0.25,
         :url => { :action => :retrieveinfo },
         :with => "'id='+value") %>

        <p>
          <%= f.label :username %><br />
          <%= f.text_field :username %>
        </p>

         <p>
          <%= f.label :admin, "Administrator ?" %><br />
          <%= f.check_box :admin %>
        </p>

        <p>
          <%= f.label :email %><br />
          <%= f.text_field :email %>
        </p>
        <p>
          <%= f.label :password %><br />
          <%= f.password_field :password %>
        </p>
        <p>
          <%= f.label :password_confirmation %><br />
          <%= f.password_field :password_confirmation %>
        </p>
        <p><%= f.submit %></p>
<%end%>

What I am trying to do is block the user from changing the employee and the username attribute.

Thanks in advance.

Answer 1

Take care of this in several places.

First, use attr_accessible in the User model, to include only those you want the user to edit:

attr_accessible :name, :email, :password, :password_confirmation #...

Then in the form partial, only shows the username field when showing the signup form:

<% if @user.new_record? %>
  <%= f.text_field :username %>
<% end %>

Lastly, in the create action, manually set the username field, since it's now in the attr_accessible list you cannot mass assign it:

@user = User.new(params[:user])
@user.username = params[:user][:username]

Please keep in mind if username is able to be set through mass assignment, even if you disable the username field in the form, it still can be modified (it's easy to change the field value in the form on the client side). That's why we have to use the attr_accessible for pretection.

Edit: noticed your partial, it's better to protect the admin field as username, otherwise users are able to set themselves as admin by changing the fields value on client side.

Answer 2

The trick is to use "object" in conjunction with a label for anything you don't want to change. Here is how you should code it for the username:

<%= f.label(:username, f.object.username) %>

Answer 3

As I can see you have two ways of doing this.

1 - Use the html support for making the textbox readonly. So in your case, user_name textbox will be something like this

<input type="text" name="user_name" value="<User Name>" readonly="readonly" />

2 - But I prefer doing something like creating a read-only textbox in your rails application helper can calling it as and when required

So the example would be

in my application helper

module ApplicationHelper

    def read_only_text_field(object_name, method, options = {})
          text_field(object_name, method, :disabled => true)
    end
end

and in my view I have

<%= read_only_text_field :user, :user_name %>

I think its more DRY/ Railly way.

** IMPORTANT - and make sure you doent count the read-only value from your controllers when saving etc.. By that way, even a user changes these readonly values you are still out of the trouble :D

hope this helps

cheers

sameera

Answer 4

Here's my related solution to a similar problem - we have fields that we want a user to be able to set themselves, we don't require them on creation of the record, but we do NOT want to them be changed once they are set.

  validate :forbid_changing_some_field, on: :update

  def forbid_changing_some_field
    return unless some_field_changed?
    return if some_field_was.nil?

    self.some_field = some_field_was
    errors.add(:some_field, 'can not be changed!')
  end

The thing that surprised me, though, was that update_attribute still works, it bypasses the validations. Not a huge deal, since updates to the record are mass assigned in practice - but I called that out in the tests to make it clear. Here's some tests for it.

    describe 'forbids changing some field once set' do
      let(:initial_some_field) { 'initial some field value' }
      it 'defaults as nil' do
        expect(record.some_field).to be nil
      end

      it 'can be set' do
        expect {
          record.update_attribute(:some_field, initial_some_field)
        }.to change {
          record.some_field
        }.from(nil).to(initial_some_field)
      end

      describe 'once it is set' do
        before do
          record.update_attribute(:some_field, initial_some_field)
        end

        it 'makes the record invalid if changed' do
          record.some_field = 'new value'
          expect(record).not_to be_valid
        end

        it 'does not change in mass update' do
          expect {
            record.update_attributes(some_field: 'new value')
          }.not_to change {
            record.some_field
          }.from(initial_some_field)
        end

        it 'DOES change in update_attribute!! (skips validations' do
          expect {
            record.update_attribute(:some_field, 'other new value')
          }.to change {
            record.some_field
          }.from(initial_some_field).to('other new value')
        end
      end
    end