-
|
Hello, I have a form: form
input :amount
select :bank_account_id, bank_accounts # bank accounts from current_user
select :category_id, categories # categories from current_userI'm using bank accounts and categories from current user in selects, but the user can inspect html and fill input value with another user's account id. I want to avoid this. Is there a best way to solve this problem with Action Policy? I'm evaluating this solution: def create
authorize! BankAccount.find(record_params[:bank_account_id]), to: :show?
authorize! Category.find(record_params[:bank_account_id]), to: :show?
resut = Records::Create.call(attributes: record_params)
if result.success?
...
end |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
I usually use scoping to verify associated record ids. Something like this: def record_params
params.permit(:bank_account_id).tap do |permitted|
permitted[:bank_account_id] = authorized(BankAccount).find_by(id: permitted[:bank_account_id])&.id
end
endIf |
Beta Was this translation helpful? Give feedback.
-
|
Nice @palkan. Makes sense. |
Beta Was this translation helpful? Give feedback.
I usually use scoping to verify associated record ids. Something like this:
If
bank_account_idhas been compromised, we do not pass to the operation (Records::Create.call), and that's the responsibility of the operation to raise a validation exception (missing parameter).