Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Rather than storing the company_id in the session, you should instead add a randomly generated token column to the company, and get the id by doing Company.find_by_token(session[:token]). If you look at how the current_user method in <a href="http://railscasts.com/episodes/270-authentication-in-rails-3-1" rel="nofollow">this Railscast on authentication</a>, it's the same idea.</p> <p>Edit: Sorry, I misunderstood your question. You should not have a hidden company_id field at all in your view. You should be setting it manually in your create method:</p> <pre><code>@user = User.new(params[:user]) @user.company_id = session[:company_id] </code></pre> <p>And you can protect the company_id from ever being set from the user changing an input name by having company_id protected against mass assignment in the model:</p> <pre><code>attr_protected :company_id </code></pre> <p>See the <a href="http://guides.rubyonrails.org/security.html#mass-assignment" rel="nofollow">rails guide on mass assignment protection</a> for more information. Note: a more common solution is something along these lines:</p> <pre><code>class ApplicationController &lt; ActionController::Base protect_from_forgery def current_company @current_company ||= Company.find_by_auth_token!(cookies[:auth_token]) if cookies[:auth_token] end end class User &lt; ApplicationController def create @user = current_company.users.build(params[:user]) end end </code></pre> <p>UPDATE 2:</p> <p>So you're creating a user and a role, and want to do separate validation on them, this should do what you want.</p> <pre><code>role_params = params[:user].delete :role # Change to the appropriate symbol for your form @user = User.new(params[:user]) role = @user.roles.build(role_params) role.company_id = session[:company_id] if(@user.save and role.user_id = @user.id and role.save) # Might want to just check for valid instead of trying to save ... </code></pre>
    singulars
    1. This table or related slice is empty.
    1. POCan I set a nested attribute in the controller vs. the view
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USsgrif
    1. USsgrif
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POCan I set a nested attribute in the controller vs. the view
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COThanks for the tip. That is probably a good idea but that still doesn't solve my issue. Currently a user could mass assign another company_id and access another company's account. Its not likely this would ever happen I just see it as a glaring security hole.
      singulars
      1. PO
      1. USDan Tappin
    2. COI have updated my answer to more appropriately answer your question. It looks like you're trying to reinvent the wheel on mass assignment protection when it's already built into rails! Gave examples on how to handle this, and a link to the official rails guide on the subject.
      singulars
      1. PO
      1. USsgrif
    3. COOk. I get what you are saying. I am actually using that Railscast in this app. I think attr_protected is my solution. The remaining issue is that the company_id is not set on the User but on the nested Role. I have a system where a single user login (email) can have access to multiple Company models via the Role. Each Role has a user_id and a company_id. The user_id gets set automatically in the nested form but I need to manually set the company_id. I am at a loss how to do this as the accepts_nested_attributes seems to do it via magic.
      singulars
      1. PO
      1. USDan Tappin
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload