You should set things than like that, that should never happen, in
your permissions.

def update_permitted?
  return false unless user_is? acting_user
  ... #rest of permissions
end

On May 20, 3:47 am, atmorell <[email protected]> wrote:
> Hello,
>
> How do I avoid that users can change the user_id in the hidden-fields
> from firebug. I was surprised that I can log in with a user and create
> a record on the behalf of another user by changing the user_id value
> with firebug.
>
> User model:
>   has_many :arts, :dependent  => :destroy
>
> Art model:
>   belongs_to :user, :creator => true
>
> Best regards.
> Asbjørn Morell
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to 
> [email protected].
> For more options, visit this group 
> athttp://groups.google.com/group/hobousers?hl=en.

-- 
You received this message because you are subscribed to the Google Groups "Hobo 
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/hobousers?hl=en.

Reply via email to