Don't require phi_access logging for `new` models

apsislabs / phi_attrs

HIPAA compliant PHI access logging for Ruby on Rails.

MIT License

27 stars 3 forks source link

Don't require phi_access logging for `new` models #39

Open Crisfole opened 5 years ago

Crisfole commented 5 years ago

Sometimes you just want a transitory MyModel.new(params).method_call

It's super annoying to have to assign a variable just to allow phi on the params you're already touching and are unprotected anyway.

We shouldn't 'engage' PHI_Attrs until it's been saved to the database.

wkirby commented 3 years ago

@Crisfole it seems like this would be easy to address by extending new and create on the model to call allow_phi! for you. In theory, you aren't creating a model without data you don't already have access to.

I'm hesitant to say we should skip logging all together, though — since as soon as you have data on your server you are its custodian.

Crisfole commented 3 years ago

I'd want to disallow_phi! on first save too (so if you persiste the model, after that you do have to allow_phi, especially since sometimes that act pulls more data in).