Pundit: Disabling form fields corresponding to attributes that the user is unauthorized to update

Created on 24 Nov 2016  路  2Comments  路  Source: varvet/pundit

In a Rails app that uses forms to create/update records, when using the permitted_attributes method to restrict the update of some attributes, the user can still see the form fields corresponding to the restricted attributes. He has no way of knowing that he is not authorized to edit some of the form fields. If he tries to change the value of one of those (unauthorized) form fields and submits the form, no errors are generated. The modified values are simply lost (not saved). The user might not even notice this happened.

I have used the policy helper to add a disabled: true option to the form helpers that correspond to attributes whose values the current user is not authorized to change.

<%= f.select :role, User.roles.keys, {}, {class: "form-control", disabled: !policy(@user).permitted_attributes.include?(:role) } %>

Is that ok? If yes, may I create a pull request to explain it in the docs? Or, even better, may I take a stab at providing an easier way to do this (e.g., policy(@user).update?(:role))

question

Most helpful comment

I think your approach is fine. We have a PR to document this (kind of) in #421.

All 2 comments

If, for some reason, you think this doesn't make sense, please let me know why. Maybe I'm looking at this from the wrong angle...

I think your approach is fine. We have a PR to document this (kind of) in #421.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

gabrielecirulli picture gabrielecirulli  路  4Comments

ghost picture ghost  路  5Comments

linhmtran168 picture linhmtran168  路  3Comments

jdwolk picture jdwolk  路  3Comments

guzart picture guzart  路  4Comments