You should set things than like that, that should never happen, in your permissions.
def update_permitted? return false unless user_is? acting_user ... #rest of permissions end On May 20, 3:47 am, atmorell <[email protected]> wrote: > Hello, > > How do I avoid that users can change the user_id in the hidden-fields > from firebug. I was surprised that I can log in with a user and create > a record on the behalf of another user by changing the user_id value > with firebug. > > User model: > has_many :arts, :dependent => :destroy > > Art model: > belongs_to :user, :creator => true > > Best regards. > Asbjørn Morell > > -- > You received this message because you are subscribed to the Google Groups > "Hobo Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group > athttp://groups.google.com/group/hobousers?hl=en. -- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/hobousers?hl=en.
