On 30 July 2015 at 21:44, Scott Goci <scottjg@gmail.com> wrote:
> ...
> My main question revolves around the following line (under fields_for
> responses):
>
> <%= r.hidden_field :user_id, current_user.id %>
>
>
> I see it suggested other places (eg: here on stackoverflow, or this tutorial
> here ) to put a hidden user_id field, but this feels incredibly wrong to me
> -- if a user is malicious, they could edit the form and modify the hidden
> user_id field to modify another participants answer.
In the controller check that the id from the form matches that for the
current logged in user. In fact not sure why you need it in the form
at all, as it should just be that for the current user. Possibly I am
missing something in your question.
Colin
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAL%3D0gLu4-CEJMj7K527YFRQnWYFhRQ%2BZm_NUr0LNBeQPLkfeUg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment