Update permissions is working perfectly:

  def create_permitted?
    acting_user.signed_up?
  end

  def update_permitted?
    acting_user.administrator? || acting_user == self.user
  end

But the user can create a new record on the behalf of a another user
by changing the user_id field with firebug. If I add return false
unless user_is? acting_user  to create_permitted? the create form is
not shown by hobo.

Any ideas?


On May 20, 7:25 pm, kevinpfromnm <[email protected]> wrote:
> You should set things than like that, that should never happen, in
> your permissions.
>
> def update_permitted?
>   return false unless user_is? acting_user
>   ... #rest of permissions
> end
>
> On May 20, 3:47 am, atmorell <[email protected]> wrote:
>
>
>
> > Hello,
>
> > How do I avoid that users can change the user_id in the hidden-fields
> > from firebug. I was surprised that I can log in with a user and create
> > a record on the behalf of another user by changing the user_id value
> > with firebug.
>
> > User model:
> >   has_many :arts, :dependent  => :destroy
>
> > Art model:
> >   belongs_to :user, :creator => true
>
> > Best regards.
> > Asbjørn Morell
>
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "Hobo Users" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to 
> > [email protected].
> > For more options, visit this group 
> > athttp://groups.google.com/group/hobousers?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to 
> [email protected].
> For more options, visit this group 
> athttp://groups.google.com/group/hobousers?hl=en.

-- 
You received this message because you are subscribed to the Google Groups "Hobo 
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/hobousers?hl=en.

Reply via email to