I am creating a trello style app where a user can drag cards between lists. I am handling all the reordering logic on the js side, and am posting the list_id
and position
to the rails update action in my controller:
card = authorize Card.find(params[:id])
card.update(card_params)
The authorize method, provided by pundit, looks like this:
def update?
user.can_edit?(card.board)
end
This is only checking the if the user is authorized to edit the board. Because I am permitting the list_id
attribute, a user could very well make a POST to move a card to a list which he does not have access to. To solve this, I added this condition to my controller:
if current_user.can_edit? List.find(params[:list_id]).board
// update card
else
// handle error
end
This solution does the job, but I don't want to introduce any authorization into my controller. My pundit policy does not have access to the card_params
, and the model does not have access to the devise current_user
, so this seems like the only way. Is there a way I could stick this logic into the policy?
I found out the solution, I just had to authorize the new list through the list policy:
authorize List.find(params[:list_id])
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.