[Rails] Is it possible to toggle via web a boolean attribute which is not a strong parameter?

Ruby on Rails Monday, August 15, 2016

The application I am working on is largely based on Michael Hartl's tutorial.
The create action for the users controller uses strong parameters with permitted parameters. The 'admin' attribute, for instance, is not included in the permitted parameters, so a malicious user could not send a PATCH request in order to become admin.

My application requires newly created users to make a list of choices on the home page in order to be redirected to a new page, reserved for users who have completed this stage.
I thought to add to the User model a new attribute ('member', for instance) which can be toggled inside the create action of the Choice controller (probably with a call of a private method), once the user has completed the number of choices requested.

Is this allowed or am I required to revise strong parameters with the new attribute?


--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/85d37790-57df-4c8d-9ebd-ba0a3e27515f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Posted by Ruby on Rails at 3:42 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)