Lately I have come to somewhat of a dilemma. Consider I have a Forum model. A Forum belongs_to a Group, but not any one particular User. To create a Forum, however, the Membership association between the User and the Group must be at an admin-level (integer value is 3). In the controller I use the before_filter called 'require_group_admin' to ensure proper permissions. The problem is that in the Forum validate() method, I cannot make sure that the user creating it has sufficient permissions without adding a user_id foreign key.
Consider an opposite example. A Group also has_many Events. To create an Event, just like a Forum, the User's Membership association with the Group (:through) must be 3. As such, I use the same before_filter in the controller as in the previous example. However, this time in the validate() method of the Event class I can choose to make sure the User has proper permissions because it belongs_to a User. This would have to be done via something like:
"self.user.membership.find_by_group_id(group).status == 3"
Something very similar is required in the before_filter 'require_group_admin' to make sure the User can do that. I was told that before_filters should be used to protect the viewing of files; models to protect the actual data itself. So in theory I should be using both. But I am repeating myself, thereby violating the infamous DRY. And add to that the fact that I am doing two extra queries, if not more ("self.user.membership" == find user, find membership by user?).
Am I missing something here? Am I supposed to use both validations? If so, what about in the first case? It doesn't make sense for a single forum to "belong" to a user! Responses greatly appreciated!
- Michael
