Mass assignment and roles in Rails

Question

I have Users, Roles, and Network models in Rails 3. Users and Networks have a HMT relationship through Roles. If a User has an Role type of 'admin' with a specific Network, he/she can change the Role of other Users.

It seems like the Role type should not be available via mass-assignment. So how does a Network admin change the position type of other Users? I actually think this is a really basic question, but I just can't find the answer.

I am using CanCan and have a current_user method. Does that simply mean the controller would have a simple if/then check to see if the user has the appropriate role in a network?

Does mass assignment only apply to pages that have no authentication?

Answer 1

So a couple things

1. You'll presumably display a role select box on the users/1/edit page if the user is an admin
2. On the update action on the controller, you'll have some kind of authorization to make sure the user is an admin
3. When the time comes to make the update

:

class myModel < ActiveRecord::Base
  attr_accessible :some_attr, :other_attr
  attr_accessible :some_attr, :other_attr, :role_id, :as => :admin
end

class myController < ApplicationController
  #admin check before doing the following
  if @user.update_attributes(params[:user], :as => :admin)
    redirect_to root_path
  end
end