Update permissions is working perfectly:
def create_permitted?
acting_user.signed_up?
end
def update_permitted?
acting_user.administrator? || acting_user == self.user
end
But the user can create a new record on the behalf of a another user
by changing the user_id field with firebug. If I add return false
unless user_is? acting_user to create_permitted? the create form is
not shown by hobo.
Any ideas?
On May 20, 7:25 pm, kevinpfromnm <[email protected]> wrote:
> You should set things than like that, that should never happen, in
> your permissions.
>
> def update_permitted?
> return false unless user_is? acting_user
> ... #rest of permissions
> end
>
> On May 20, 3:47 am, atmorell <[email protected]> wrote:
>
>
>
> > Hello,
>
> > How do I avoid that users can change the user_id in the hidden-fields
> > from firebug. I was surprised that I can log in with a user and create
> > a record on the behalf of another user by changing the user_id value
> > with firebug.
>
> > User model:
> > has_many :arts, :dependent => :destroy
>
> > Art model:
> > belongs_to :user, :creator => true
>
> > Best regards.
> > Asbjørn Morell
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Hobo Users" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to
> > [email protected].
> > For more options, visit this group
> > athttp://groups.google.com/group/hobousers?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group
> athttp://groups.google.com/group/hobousers?hl=en.
--
You received this message because you are subscribed to the Google Groups "Hobo
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/hobousers?hl=en.