In a Rails app that uses forms to create/update records, when using the permitted_attributes method to restrict the update of some attributes, the user can still see the form fields corresponding to the restricted attributes. He has no way of knowing that he is not authorized to edit some of the form fields. If he tries to change the value of one of those (unauthorized) form fields and submits the form, no errors are generated. The modified values are simply lost (not saved). The user might not even notice this happened.
I have used the policy helper to add a disabled: true option to the form helpers that correspond to attributes whose values the current user is not authorized to change.
<%= f.select :role, User.roles.keys, {}, {class: "form-control", disabled: !policy(@user).permitted_attributes.include?(:role) } %>
Is that ok? If yes, may I create a pull request to explain it in the docs? Or, even better, may I take a stab at providing an easier way to do this (e.g., policy(@user).update?(:role))
If, for some reason, you think this doesn't make sense, please let me know why. Maybe I'm looking at this from the wrong angle...
I think your approach is fine. We have a PR to document this (kind of) in #421.
Most helpful comment
I think your approach is fine. We have a PR to document this (kind of) in #421.