Authorization design question

Skip to first unread message

Christopher Thielen

Jul 28, 2012, 7:40:08 PM7/28/12
I'm building a simple web store with a Product model and an Order model. Non-authenticated users (i.e. guests) make orders but cannot update them (no login system with this store).

I keep a 'quantity' attribute in my Product model to keep track of how many of that item are left to sell. The problem is, I don't want the guest role to have permission to update products (they could change prices, names, etc. if so!) but I need to decrease the quantity and save an updated Product model in an action caused by the guest role.

without_access_control seems to be for testing. What's the best way to go about this issue?

Edward Rudd

Jul 28, 2012, 8:08:51 PM7/28/12
Actually without_access_control would be the way to go.  You just need to only use it around just the quantity update and not rely on user provided input in that section. E.g. Don't go passing params and doing mass assignment.

I use that in a few placed in my code base around specific controlled areas. 

Sent from my iPad
You received this message because you are subscribed to the Google Groups "declarative_authorization" group.
To view this discussion on the web visit
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at
Reply all
Reply to author
0 new messages