i have table called users, if i want to delete some user (User can add questions and add respondents (who will answer on his questions)), i need to delete him and get his id to people who deleted this person. So for example:
Sure.
def destroy_and_transfer_to(user)
transaction do
questions.each do |q|
q.update_attribute(:user_id => user)
end
respondents.each do |r|
r.update_attribute(:user_id => user)
end
destroy
end
end
Now use this method instead of the "destroy" method.
OR
you can stick to callbacks like this
before_destroy :transfer_to
attr_accessor :user_who_takes_over
private
def transfer_to
if user_who_takes_over
questions.each do |q|
q.update_attribute(:user_id => user_who_takes_over)
end
respondents.each do |r|
r.update_attribute(:user_id => user_who_takes_over)
end
end
end
Then you can :
#user.user_who_takes_over = current_user
#user.destroy
Just a couple of ideas! Good Luck!
Update: All the code i provided above belongs in your model.
In your controller you need to have a destroy method
in your controller
def destroy
user = User.find(params[:id])
user.user_who_takes_over = current_user
if user.destroy
flash[:notice] = "User destroyed, all stuff transferred"
else
Rails.logger.debug(user.errors.inspect)
flash[:error] = "Error destroying user"
end
redirect_to :back
end
Change to suite your need of course!
Related
I'm in the process of creating a website similar to Reddit. I would like to allow a moderator to be able to update a topic, but not be able to create or delete topic. I'm aware that I need to update TopicsController but I'm not sure how. My main problem is that I'm not sure how to make the code specific enough to ensure that a moderator can only update; not delete or create a topic, as an admin can.
My current code looks like this:
class PostsController < ApplicationController
before_action :require_sign_in, except: :show
before_action :authorize_user, except: [:show, :new, :create]
def show
#post = Post.find(params[:id])
end
def new
#topic = Topic.find(params[:topic_id])
#post = Post.new
end
def create
#post.body = params[:post][:body]
#topic = Topic.find(params[:topic_id])
#post = #topic.posts.build(post_params)
#post.user= current_user
if #post.save
flash[:notice] = "Post was saved"
redirect_to [#topic, #post]
else
flash[:error] = "There was an error saving the post. Please try again."
render :new
end
end
def edit
#post = Post.find(params[:id])
end
def update
#post = Post.find(params[:id])
#post.assign_attributes(post_params)
if #post.save
flash[:notice] = "Post was updated."
redirect_to [#post.topic, #post]
else
flash[:error] = "There was an error saving the post. Please try again."
render :edit
end
end
def destroy
#post = Post.find(params[:id])
if #post.destroy
flash[:notice] = "\"#{#post.title}\" was deleted successfully."
redirect_to #post.topic
else
flash[:error] = "There was an error deleting the post."
render :show
end
end
private
def post_params
params.require(:post).permit(:title, :body)
end
def authorize_user
post = Post.find(params[:id])
unless current_user == post.user || current_user.admin?
flash[:error] = "You must be an admin to do that."
redirect_to [post.topic, post]
end
end
end
I've already added a moderator role to the enum role.
I apologise if this seems really basic...but it has got me stumped!
Thanks in advance!
I could answer with some custom solution, but it's better to use a more structured and community-reviewed approach: authorization with cancan.
As tompave noticed you can use cancan gem for this.
Personally I prefer pundit.
In old days I used to define permissions directly in code everywhere: in controllers, in views and even models. But it's really bad practice. When your app grows, you are lost: you update a view, but you should make the same change in controller and sometimes in model too. It soon becomes absolutely unmanageable and you have no idea what your users can and cannot do.
Pundit, on the other hand, offers central place -- policy -- for defining what user can do. Views and controllers can then use those policies.
For example, if you need to define Post's policy you simply create app/policies/post_policy.rb file:
class PostPolicy
attr_reader :user
attr_reader :post
def initialize(user, post)
#user = user
#post = post
end
def author?
post.user == user
end
def update?
author? || user.admin? || user.moderator?
end
def create?
author? || user.admin?
end
def destroy?
author? || user.admin?
end
# etc.
end
Now whenever you need to check user's ability to perform action, you can simply invoke:
# in controller
def update
#post = Post.find(params[:id])
authorize #post
# do whatever required
end
# in view
<% if policy(post).update? %>
<%= link_to 'Edit Post', post_edit_path(post) %>
<% end %>
As you can see Pundit is very easy to comprehend and it uses the same "convention over configuration" approach as Rails. At the same time it's very flexible and allows you to test virtually anything.
You will definitely need Pundit or any similar gem to manage permission in your ambitious app.
I have a company model, that accepts_nested_attributes_for :users and my controller looks like this:
def create
#company = Company.new(company_params)
if #company.save
redirect_to root_url
else
render 'new'
end
end
private
def company_params
params.require(:company).permit(:name, :company_size , users_attributes: [:id, :name])
end
what I'd like to do is set the admin boolean I have in user to true.
Essentially what I'm doing is making a user sign up by creating a company, and also registering their user, and thus making the person registering the company an admin.
You can simply alter the User object before it is saved.
def create
#company = Company.new(company_params)
#company.user.admin = true
if #company.save
redirect_to root_url
else
render 'new'
end
end
You could also do this as a a model callback. However your implementation might be a little to naive. What happens if a user belongs to several companies?
Rails 3.2. I am using the following code to associate user_id to the record:
# review.rb
class Review < ActiveRecord::Base
belongs_to :reviewable, :polymorphic => true, :counter_cache => true
end
# reviews_controller.rb
def create
#review = #reviewable.reviews.new(params[:review])
#review.user_id = current_user.id
if #review.save
flash[:success] = 'Thanks for adding your review.'
redirect_to #reviewable
else
flash[:error] = 'Error adding review, please try again.'
redirect_to #reviewable
end
end
I want to find a way to use this, but it keeps saying that the current_user is not defined, but I could find the current_user object:
def create
#review = #reviewable.current_user.reviews.create(params[:review]
if #review.save
flash[:success] = 'Thanks for adding your review.'
redirect_to #reviewable
else
flash[:error] = 'Error adding review, please try again.'
redirect_to #reviewable
end
end
If you can post your code to what the #reviewable object is, it might help to give a more specific answer. But if you want a one liner, you can do something like this:
#review = #reviewable.reviews.build(params[:review].merge({:user_id => current_user.id})
But personally, i think your original looks better as it's easier to read.
As an additional note, your second example also calls create and save. You don't need to call both, as create saves the object when accepting a hash of parameters. Save is nice to use if you want to initialize an object, modify it in some way, then save it later.
I think that the reason this does not work is because current_user is a method that is not defined on a reviewable.
The reviewable may belong to a user, in which case #reviewable.user.reviews.create... may be valid.
When the user is logged in, only the user who create the record can destroy his own record.
What should I add to the code below??
def destroy
#topic = Topic.find(params[:id])
#topic.destroy
flash[:notice] = "topic deleted!"
end
What you are looking for is not really devise but a authorization solution like CanCan.
Devise can only authenticate users and verify that they are logged in and active. What you need is a way to determine if the user has the right to delete this topic or not.
You can of course roll your own like this:
def destroy
#topic = Topic.find(params[:id])
if #topic.user_id == current_user.id
#topic.destroy
flash[:notice] = "topic deleted!"
else
flash[:error] = "not allowed"
end
end
(The code assumes you have a belongs_to :creator, :class_name => :user association set up in your Topic.. But you get the idea).
But using something like CanCan will make your life a whole lot easier and would reduce the code to something like this:
def destroy
#topic = Topic.find(params[:id])
authorize! :destroy, #topic
#topic.destroy
flash[:notice] = "topic deleted!"
end
With your ability file (See defining abilities) set up like this:
can :manage, Topic, :owner_id => user.id
User model: has_many :courses
Course model: belongs_to :user
def require_course
unless #check if current user has course
redirect_to root_url
return false
end
end
i need a method that checks if current user has courses. What should i write to check if current_user has course.
I'd go for
def require_course
redirect_to root_path if #user.courses.blank?
end
Documentation about Object#blank?
How about current_user.courses.size > 0 ?
Even a shorter one:
redirect_to(root_url) if #user.courses.size.zero?
Or even shorter:
def require_course
redirect_to root_url if #user.courses.empty?
end
(note the root_url instead of root_path, as discussed here.