Best way to allow admin to build objects for Admin_问答_开发者

Best way to allow admin to build objects for Admin

开发者 https://www.devze.com 2023-02-05 13:36 出处：网络

My objective is to allow Admins the right to sign Users up for a Project. Currently, Users can sign themselves up for Projects.

My objective is to allow Admins the right to sign Users up for a Project.

Currently, Users can sign themselves up for Projects.

So I was thinking in order to allow 开发者_StackOverflowAdmin to do this.. do something like this :

haml

= link_to "Project Signup", card_signups_path + "?user=#{user.id}", :class => "button"

And pass the params[:user] so I can replace this controller with this :

if params[:user]
  @card_signup = User.find(params[:user]).build_card_signup
else
  @card_signup = current_user.build_card_signup
end

The trouble is though.. this is a 3 part signup process, and its loaded VIA AJAX, so I can't pass the ?user=#{user.id} in any of the steps after the first.. ( at least not by the same convention that I already did, or know how to )

What kind of strategy would you employ in this?

One possible way of accomplishing this, would be to add a hidden field to your form, that mirrors the parameter your passing in, if its found.

So if the parameter your passing in is user, in your view you want to add a hidden field something like:

<input type="hidden" name="user" and value="<%= params[:user] %>" />

or with a rails form helper:

hidden_field_tag 'user', params[:user]

This way the code in your controller can check for this parameter at each step on the receiving end and know who to save the object for. Something like this:

def create 
   @card_signup = CardSignup.new(params[:card_signup])
   if params[:user] && params[:user].to_i > 0
     ##
     ##some logic here to make sure current_user is admin, as no one else is allowed to do this
     ##
     @card_signup.user_id = params[:user]
   else
     @card_signup.user_id = current_user.id
   end
   ##onto validating model and saving / redirecting / etc
end

But the ultimate goal here is to keep the user param around, whether its an initial GET parameter to the page, or a Put/Post from ajax/etc to submit the form, this parameter will be around.

One other security angle to check would also be in the 'new' action of this controller, and check that if the user param is present then the current_user is an administrator, otherwise redirect or display an error message. This combined with re-validating this on the create should provide a decent way of making sure no one else can make these requests. You could also put this in a before_filter and call it for only new and create to keep things clean.