Saturday, February 26, 2011
On 26 Feb 2011, at 15:31, Mauro wrote:
I know it's a good practice setting attr_accesible for models.
As an example if I have a model with admin: boolean attribute and if I
don't set attr_accessible, a user can do: put /users/17?admin=1 making
user 17 an admin.
But if I have attr_accessible set and I want to create new users with
a html form, how can I set admin true or false?
I have to do an update directly in the database?
Indeed, if you protect the admin boolean from mass assignment, it's up to you to assign it. You can still use the incoming params to determine if you need to set it or not, but you'll probably want to verify if the user has the permissions to do that.
Best regards
Peter De Berdt
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment