How to pass `current_user.id` to a controller?


#1

I currently pass the current user id via data, but this feels hackish and not very secure.
Is there a better way?


#2

Doesn’t seem hackish to me. Data-attributes are a great way for the server to pass necessary information to the client side code.

As far as security goes, everything you do on the client side is inherently insecure. Security should always be enforced server-side. If you don’t want to reveal user ids to the client use a unique random token instead.


#3

In my code, a user locks a record in the UI, and this triggers the generation of a new html snippet that will be propagated to all viewers of this record to show this record is now locked.
The snippet contains 2 parts, one for the locker (an AJAX link to unlock the record), and one for everybody else (just a image).
Those 2 parts are hidden by default, and it’s the Stimulus controller role to reveal one and remove the other based on the current user identity based on

  may_unlock = (current_user_id == object.locker.id

The *Channel.rb knows about current_user; if only there was a simple (meaning: “synchronous”) way for the client javascript code to obtain this value.


#4

CSS might be a better tool for the job if you just need to show/hide elements. Something like:

<head>
  …
  <style>
    [data-visible-to]:not([data-visible-to="<%= current_user.id %>"]) {
      display: none;
    }
  </style>
</head>
<body>
  …
  <div data-visible-to="<%= record.creator.id %>">
    …
  </div>
</body>

#5

Thanks @javan Simple and elegant solution; it helped me remove a lot of painful javascript. (after adding the matching [data-invisible-to..] - see below)

It’s limited to simple cases though: I’m afraid it won’t help for

   may_edit = current_user_is_admin || (current_user_id == article_author_id) 

Here is the complete css code I used to replace showing/hiding with Javascript:

<head>
  ...
  <style>
    [data-visible-to]:not([data-visible-to="<%= current_user.id %>"]) {
      display: none;
    }
    [data-invisible-to="<%= current_user.id %>"] {
      display: none;
    }
  </style>
</head>


#6

I expanded the above solution to hide/show elements based on the user’s roles.

<head>
  ..
  <%= csrf_meta_tag %>
  <%= render 'layouts/custom_user_styles' %>
</head>

file ‘views/layouts/_custom_user_styles.html.erb’:

<% cache current_user do %>
  <!--source: https://discourse.stimulusjs.org/t/how-to-pass-current-user-id-to-a-controller/287/3-->
  <style>
    [data-visible-to-user]:not([data-visible-to-user="<%= current_user.id %>"]) {
      display: none;
    }
    [data-invisible-to-user="<%= current_user.id %>"] {
      display: none;
    }

    <% User::ROLES_SYMBOLS.each do |role| %>
      <% if current_user.has_role?(role) %>
        [data-invisible-to-role="<%= role %>"] {
          display: none;
        }
      <% else %>
        [data-visible-to-role="<%= role %>"] {
          display: none;
        }
      <% end %>
    <% end %>
  </style>
<% end %>


#7

I think you could improve this further by caching based on the set of roles instead of each individual user


#8

In case if you need to pass user id to more than one controller I would suggest go the Basecamp way and add it to the <head> like:

<meta name="current-person-id" content="your-id">

#9

I agree with @Alexandr_K. This way you can keep your views free of user specific attributes, which allows you to cache the page. The meta(s) tag can be read to gather additional information about the current user.