Restrict attr_accessible to types of user with Ruby on Rails

Question

I am creating a forum software. I want admins and mods to be able to close certain topics.

Codes are sanitized to show only relevant info.

Models

class User < ActiveRecord::Base
  attr_accessible :name, :email, :password, :password_confirmation, :bio
  has_many :topics, dependent: :destroy
end

class Topic < ActiveRecord::Base
  belongs_to :user
  attr_accessible :name, :last_post_id, :content
end

Schema for user: admin and mod columns determine admins and mods.

create_table "users", :force => true do |t|
  t.string   "name"
  t.string   "email"
  t.datetime "created_at",                         :null => false
  t.datetime "updated_at",                         :null => false
  t.string   "password_digest"
  t.string   "remember_token"
  t.boolean  "admin",           :default => false
  t.text     "bio"
  t.boolean  "mod",             :default => false
end

Schema for topic: closed column determines topic's closed status.

create_table "topics", :force => true do |t|
  t.datetime "created_at",                      :null => false
  t.datetime "updated_at",                      :null => false
  t.integer  "forum_id"
  t.string   "name"
  t.integer  "last_post_id"
  t.integer  "views"
  t.integer  "user_id"
  t.boolean  "closed",       :default => false
  t.text     "content"
end

I am reluctant to user attr_accessible :closed for TOPIC model because it will be vulnerable to malicious PUT request (correct me if I am wrong).

Is there some way for Rails app to be able to access and modify value of closed column of TOPIC without using attr_accessible, so that only mods and admins can edit them?

Answer 1

I searched on google and found this ascii cast.

Basically, you are looking for dynamic attr_accessible.

If you currently have

class Article < ActiveRecord::Base  
  attr_accessible :name, :content, :closed  
end  

You ca use dynamic attr_accessible like this :

class Article < ActiveRecord::Base  
  attr_accessible :name, :content  
  private  
  def mass_assignment_authorizer  
    super + [:closed]  
  end  
end  

I hope I is what you are looking for. Be sure to check the link I gave you for complete reference.