Rails: editable/non-editable field depending on user permissions

I'd like to display a single form in which each user can edit different fields.

Currently, the code looks like this:

<% if can? :update, item %>  
` <%= f.text_field :title %>
<% else %>
  <%=h f.object.title %>
<% end %>

I can package this in a series of helpers (one for each field type) but I also have to check in the controller whether the user can update all submitted fields (in case a malicious user tries to submit fields he is not authorized for).

Is there a cleaner pattern in rails for this type of 开发者_运维百科task? Ideally, I would like to define these access permissions in the model and have the changes propagate to controller and view.

Edit:

Using the readonly tag is not a viable option; It doesn't take care of validations and replaces the view logic with lots of CSS. Not the best trade-off.

You can make them readonly

<%= f.text_field :title, :readonly=> (can? :update, item)? true : false %>

Take a look at the acl9 plugin for authorization .

I dont belive theres any way to solve this with a plugin, the only option would be to change the controller code to:

@model=Model.new
@model.field = params[:model][:field] if can? ....
@model.save