Authorization design question

[Christopher Thielen]

I'm building a simple web store with a Product model and an Order model. Non-authenticated users (i.e. guests) make orders but cannot update them (no login system with this store).

I keep a 'quantity' attribute in my Product model to keep track of how many of that item are left to sell. The problem is, I don't want the guest role to have permission to update products (they could change prices, names, etc. if so!) but I need to decrease the quantity and save an updated Product model in an action caused by the guest role.

without_access_control seems to be for testing. What's the best way to go about this issue?

[Edward Rudd]

Actually without_access_control would be the way to go.  You just need to only use it around just the quantity update and not rely on user provided input in that section. E.g. Don't go passing params and doing mass assignment.

I use that in a few placed in my code base around specific controlled areas. 

Sent from my iPad

--
You received this message because you are subscribed to the Google Groups "declarative_authorization" group.
To view this discussion on the web visit https://groups.google.com/d/msg/declarative_authorization/-/J4oGCikfWUMJ.
To post to this group, send email to declarative_...@googlegroups.com.
To unsubscribe from this group, send email to declarative_author...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/declarative_authorization?hl=en.