Based on a users authorization, I'd like to sanitize the parameters to include the ones which they are allowed to update. There are 5 different roles for the one model, and I'd rather not list out 25 possible combinations and call
params.require(:asset).permit( stuff )
25 times
Is there a way to "build" the strong parameters? The only possible way I've found is "merge" but I can't seem to get it to work
This is where I'm at:
def update_params
p = params.require(:asset)
if can? :update, Asset
p.merge params.require(:asset).permit(:code, :description)
end
if can? :update, Ability::THING1
p.merge params.require(:asset).permit(:some_nested_stuff => [:id, :quantity, :_destroy],
:some_other_nested_stuff => [:id, :quantity, :_destroy])
end
if can? :update, Ability::THING2
p.merge params.require(:asset).permit(more_nested_stuff: [:id, :date, :note])
end
if can? :update, AssetNote
p.merge params.require(:asset).permit(notes_attributes: [:id, :note, :_destroy])
end
p
end
With this I get "ForbiddenAttributesError" instead of it just throwing away the attributes.