How to restrict data for a model attribute

[jclusso]

I'm wondering what the best way to do this would be. My scenario has two roles, Admin and Super Admin, and an invoice model with a cost and a cost_override fields.

Super Admins are allowed to adjust the cost_override field to whatever they want, whereas Admins are only allowed to set the cost_override to be within 25% of the cost

How would you structure this?

[palkan]

That's an interesting example.

I would use something like that:

# assuming the model is named Product
class ProductPolicy < ApplicationPolicy
  params_filter do |params|
    params.permit(:cost, :cost_override).tap do |filtered|
      filtered.delete(:cost_override) if (filtered[:cost_override] / filtered[:cost].to_f) > 0.25 && !super_admin?
    end
  end
end

Here I delete unauthorized parameter; raising Unauthorized can be an option, too.

But I assume that both cost and cost_override present in the params. I guess, it's possible to update only the cost_override (or only the cost) param, right?

I think, using policies for form submit verification is not the right way of doing this. I would add a form object to handle this operation and use policies there:

# very abstract code
class ProductForm < ApplicationForm
  include ActionPolicy::Behaviour

  attribute :cost, :cost_override
  
  validate :cost_override_within_limits, unless: :manage_cost?
  
  # ...
  def cost_override_within_limits
    errors.add(:cost_override, "must be <25% of the cost") if (product.cost_override / produce.cost > 0.25)
  end
end

So, we still use a policy here (#manage_cost?—naming is hard 🙂) to define whether to validate this condition, but the actual check is implemented as a validation.

[jclusso]

Thanks for that detailed example. I typically try and avoid custom forms unless I'm dealing with multiple objects or something that doesn't tie to a single model. In my current situation I actually am using one so this would work. It's one of maybe 3 in the entire project!

I'm also wondering how does including ActionPolicy::Beavior work? Does that ProductForm need to be instantiated with current_user passed in or something? Or is there some magic that just makes this work behind the scenes some how?

[palkan]

current_user must be passed by you, and you need to tell Action Policy how to get the user context. So, the full example would be:

class ProductForm < ApplicationForm
  include ActionPolicy::Behaviour
  authorize :user

  # ...
end

Then, you can pass user as a form parameter (and expose via attr_reader).

Actually, #manage_cost? should be written as:

validate :cost_override_within_limits, unless: -> { allowed_to?(:manage_cost?, product) }

So, Behaviour adds #authorize!, #authorized_scope and #allowed_to? methods.

[jclusso]

Alright, I see how this could work. Thanks!