Reputation: 1224
Rails validation vs authorization
I have a scenario where I am unsure of whether a particular function should be considered validation or authorization. I can code it either way.
Users can "like" articles.
When a user creates a new "like" I need to ensure the user has not already liked the article. The front end will limit the functionality however I want backed end safeguards.
Should the process of ensuring a user has not already liked the article be considered validation or authorization?
Further to comments received:
If auth determines if the option is available to the user, or not & validation determines if the user selection is valid then...
Auth will make the option to click "like" available even when then user has previously "liked" and therefore it will inevitably fail validation.
This thinking results in an invalid option being presented to the user.
Is ensuring the user can only delete/edit their own "likes" auth or validation? The previous logic implies it should be validation as the user is either authorised to add/update or destroy within the model or not and ensuring their actions are valid is the role of validation However it would be illogical to present the option to delete another user's like only to reject upon failed validation.
Upvotes: 2
Views: 769
Answers (4)
Reputation: 445
authorization would be: is this user allowed to perform this action; validation: will this action succeed. given that user is allowed to 'like', ensuring he can do it only once is a validation problem. to solve it put unique constraint on db level (user_id, article_id).
Upvotes: 1
Reputation: 1261
a. should use rails validation to make sure he/she can like once not more then that. b.authorization is to restrict user from hitting like.
Upvotes: 1
Reputation: 857
This is validation. I don't know your model architecture, but if you have a Like model, you could validate like this:
class Like < ActiveRecord::Base
belongs_to :user_id
belongs_to :article_id
validates :article_id, uniqueness: { scope: :user_id }
end
You should also make sure that a unique constraint is present at the DB level, to avoid a potential race condition.
Upvotes: 2
Reputation: 34338
This sounds more like validation. You have to check in your model that this article was liked by this user or not. If it is, then this like is invalid and he can't like it now. Otherwise, it will pass the validation and the user will be able to like this article.
Authorization should come, when some user can like some set of articles, but not all, in those situation, In my honest opinion.
Upvotes: 1
Related Questions
- Rails authenticity_token on a form vs csrf token
- Rails Api Authentication vs User Authentication
- Ruby on Rails: Is it better to validate in the model or the database?
- Authorization model for Ruby on Rails
- Proper way to validate password
- Rails user authorization
- authlogic validation
- For Rails apps, should I put validation in DB as well as model?
- Rails security validations in controller?
- Rails authorization? check in Model vs controller