>
> This won't protect you from someone forgering a request. You should
> check this in the controller, maybe put something like this in the
> update method:
> """
> user_to_update.admin = params[:admin] unless !logged_in_user.admin?
> """
> (and PLEASE do check this code before relying on it, that's off the
> top of my head). Doing it this way will make sure that no non-admin
> can change the admin status of a user.
>
> Regards,
>
> Felix
Thanks Felix,
Yeah I don't want to rely on attr_protected and attr_accessible either.
I would rather code my own pieces and use those as an extra buffer.
Thanks for the input and I'll create a custom check for this and test
thoroughly.
--
Posted via
http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk@...
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@...
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en-~----------~----~----~----~------~----~------~--~---
