For your first example, what about cases where you don’t have the current user object already?

Say you save the user id in the session, wouldn’t it make sense to do this: TodoList.find_by_id_and_user_id(params[:id], session[:current_user_id])

Rather than lookup the User just do a scoped find?

@Jared:

I would recommend you always fetch the user record, and there are a few reasons for that:

1) If the user is deleted, they’ll be prevented from using the application. 2) You almost certainly want the user object for other parts of the application, perhaps rendering a partial which contains the user’s name. 3) Unless you have extensive benchmarks showing that your ‘find a user’ query is the problem, what you’re doing is premature optimisation with a big hit to readibility.

@Jared:

This pattern is used throughout most of the authorization plug-ins. You’d simply have a current_user method that returned the current user object from session.

If the current user object wasn’t in the session, you’d probably just redirect to the login page.

def current_user @current_user if logged_in? end

That sort of deal.

Good stuff. I think this all basically boils down to, as Chad Fowler put it, “don’t use SQL in your controller”. Or more specifically, don’t use SQL or anything that builds SQL in your controller. I think it’s a good best practise.

In the last situation, you could also do something along the lines of current_user.todo_lists.complete and current_user.todo_lists.active using memoization. I prefer the syntax and it’s only a tiny bit more code. (Example).

@Jon:

But your solution doesn’t let you call find on the ‘active’ collection, making things like pagination, includes etc. You could implement that with with_scope in a class method, but then you’ve just reinvented has_many.

Fair comment. I guess it depends how you need to use it. You could always add a “page” parameter to the method, for example, which would change the query (though that would also affect the memoized value)—that would help with factoring all SQL into the model.

Compare:

@completed = current_user.completed_lists.find(:all, :pagination_conds)

vs.

@completed = current_user.todo_lists.complete(params[:page])

Still, it depends how much flexibility is needed as to which is a better option.

Kind of surprised you didn’t mention calling through the association proxy to class methods, as you demonstrated here. That’s a nicer solution all round, surely?

@Michael

I’m not suggesting your method is bad or trying to prematurely optimize. Most of the time it does make sense to use the association just as you described. Rather, I was just suggesting that in cases where you don’t already have the User object, it seems silly to me to do an extra query to first fetch the User just for the sake of doing a scoped find.

Your reasons for suggesting that one would always want to pull back a User object are reasonable. I just wasn’t making the same set of assumptions.

Anyway, it’s just my two cents.

@Jon: Absolutely, everything comes down to trade-offs. Both options work fine and it basically comes down to your own personal preference.

@jared: Sure, I didn’t mean to suggest you’re prematurely optimizing just that most people who use that approach would be much better served by fetching the record.

@Tom: Good point, I’ll work a section in here doing just that.

@Tom: Done, thanks for the tip!!

Would Tom’s way no have exactly the same issues as the way I suggested? Or have I missed something?

@Jon: Search takes a parameter so you couldn’t replace it with an association. It’s included for completeness when referencing this article in the future.

Great post as always – I’m guilty of a few of these myself… off to refactor. Thanks guys!

However a big downside to this approach is that repeated calls to active_lists will issue the query again

Regarding that last example, I really like the scope_out plugin for creating the finders.

class TodoList < ActiveRecord::Base
  scope_out :active, :conditions => {:completed => false}
  scope_out :completed
end

class User < ActiveRecord::Base
  has_many :todo_lists, :extend => TodoList::AssociationMethods
end

Now all of the following work:

1. with caching as Jamis recommended on his blog current_user.todo_lists.active

@Nicolas: While it does cache the query result, it saves the result set not the instance, and will still incur quite a bit of overhead while building up the objects from the hashes.

@Dan: Interesting plugin, but I think I still prefer the seperate associations rather than the scoped class methods. Caching is only the first part of the job. Cache invalidation is harder, and the association methods give you that with current_user.active_lists(:reload).each…

I really like your solution to second and third problem.

However I do not entirely agree with first suggestion. Using association find is in fact a cleanest way of fetching user’s resources. Knowing that I still separately fetch items by id and explicitly check ownership.

When there is no item with given ID I simply send out 404 response. But when user is unauthorized to view existing resource I log such occurrence together with user’s information and send out 403 (Unauthorized).

I think such approach is more REST oriented and in addition allows to find potential troublemakers early.

This is a great Rails pattern that I’ve used many times.

However I’m still looking for a way to cleanly handle the case where some of the users (e.g. admin users) should have acces to all the records, and some should have access only to their own.

Thanks Koz, this is great. I love the anti-pattern rundown, too. I’ve hit most of those before settling on the recommended approach. This could have saved me some time :-)

@Bragi: If you have reasons for handling the error states seperately, then yeah, the ‘query then check’ style is probably best for you.

As for showing a 404 vs a 403, for my applications there’s not really any practical benefits to that. If someone’s tweaking the URLs, I’m not going to go out of my way to show them a more ‘friendly’ error message. Your requirements may well be different though.

@Joel: As I was reading this post, I thought to myself that that’s where this approach (sort of) breaks down. Of course the vast majority of the time it’s perfect though.

I’ve used two solutions in the past, and like everything I guess it boils down to personal preference. The first is to make another has_many with different conditions. The other is sticking some query on the user model.

1
2
3
4
5

class User < ActiveRecord::Base
  def access?(list)
    admin? || list.user_id == id
  end
end

I definitely prefer the latter, but like everything else it comes down to examining the tradeoffs and personal preference.

@myself: Obviously with my solution you wouldn’t use the proxy in the controller anymore…it’d be like

1
2
3
4

def authorized?
  @list = TodoList.find params[:id]
  current_user.access? @list
end

@Koz: The scope out plugin supports cache invalidation. In your example instead of current_user.active_lists(:reload).each… it would be current_user.todo_lists.active(:reload).each… it may not be ideal for all applications, but I find the plugin very useful for this.

What bothers me with your last example is (1) you just defined what makes a TodoList active or complete in your User model and (2) For every model that has_many :todo_lists, you need to add the same associations to have the scoped criteria.

Koz,

This is pushing the subject of the article, but do you know of any way to do multi-step proxying? For instance, lets say the following…

A has_many C :through => B C has_many D

I’d like to be able to say a.ds and get a list of all the matching models. It that dumb? Right now I end up with hacks like a.cs.collect{|x| x.ds} but you lose the ability to do nicely scoped queries. I thought maybe I could pull some trickery like this:

A has_many D :through => [B, C]

But that doesn’t seem to exist, best I can tell. If it helps I can describe the problem in a real scenario I’m facing. Thanks!

In the example where you rescue the exception, you forgot rescue’s relative end statement.

- Random8r.

I like this approach a lot. How would you go about testing this though? Formerly I would have written (using rspec)

TodoList.should_receive(:find_all_by_user_id).with(current_user.id) 

def search @todo_lists = current_user.todo_lists.search(params[:q]) end

wait, what? how does that work? Didn’t we define “search” as a method on the TodoList class? How does it end up as a method on the association proxy? shouldn’t we call the method like this:

TodoList.search(params[:q])

Wow! I dig the use of has_many there; I didn’t know you could do that. Thanks for sharing, koz. :)

Best. Tips. Ever.

In case 2, why wouldn’t you do?:

def create @todo_list = TodoList.new(params[:todo_list]) current_user.todo_lists << @todo_list current_user.save redirect_to todo_list_url(@todo_list) end

Paul, that’s pretty much what case 2 demonstrated, with the following line:

@todo_list = current_user.todo_lists.create! params[:todo_list]

Although the solution you presented works, I’m finding that SomeModel.new(params[:foo]), followed by something to hook it up to the appropriate association, is generally error prone and (IMHO) ugly. :) I much prefer letting rails do the work of hooking up the associations for me.

Wow, The three tips hit my head, Bang! Bang!! Bang!!!

I really enjoyed the “Case One – Restricting Access to User Data” part as I’m a bit of a security buff. It is a really interesting application of the pattern, you have just inspired me greatly!

Jamis + Koz: The Rails Way is the most useful Rails resource out there. Thanks a ton for dedicating the time to it.

How would one apply the Case 2 pattern when using a has_many :through relationship? If the user has todo_lists through projects, for example, is one relegated to:

@todo_list = TodoList.new(params[:list]) current_user.todo_lists << @todolist

all over again? Is there a way to avoid HasManyThroughCantAssociateNewRecords errors without doing this?