I was going to say it sounds like a problem I'm having in another
app.  Except, for mine, the form shows but the link doesn't.  I've got
the same sort of code for another model and it works fine, both parts.

I finally got it working (sort of) by using attr_protected on the
relationship since the :creator => true handles assigning the owner.

On May 20, 1:32 pm, atmorell <[email protected]> wrote:
> Update permissions is working perfectly:
>
>   def create_permitted?
>     acting_user.signed_up?
>   end
>
>   def update_permitted?
>     acting_user.administrator? || acting_user == self.user
>   end
>
> But the user can create a new record on the behalf of a another user
> by changing the user_id field with firebug. If I add return false
> unless user_is? acting_user  to create_permitted? the create form is
> not shown by hobo.
>
> Any ideas?
>
> On May 20, 7:25 pm, kevinpfromnm <[email protected]> wrote:
>
>
>
> > You should set things than like that, that should never happen, in
> > your permissions.
>
> > def update_permitted?
> >   return false unless user_is? acting_user
> >   ... #rest of permissions
> > end
>
> > On May 20, 3:47 am, atmorell <[email protected]> wrote:
>
> > > Hello,
>
> > > How do I avoid that users can change the user_id in the hidden-fields
> > > from firebug. I was surprised that I can log in with a user and create
> > > a record on the behalf of another user by changing the user_id value
> > > with firebug.
>
> > > User model:
> > >   has_many :arts, :dependent  => :destroy
>
> > > Art model:
> > >   belongs_to :user, :creator => true
>
> > > Best regards.
> > > Asbjørn Morell
>
> > > --
> > > You received this message because you are subscribed to the Google Groups 
> > > "Hobo Users" group.
> > > To post to this group, send email to [email protected].
> > > To unsubscribe from this group, send email to 
> > > [email protected].
> > > For more options, visit this group 
> > > athttp://groups.google.com/group/hobousers?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "Hobo Users" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to 
> > [email protected].
> > For more options, visit this group 
> > athttp://groups.google.com/group/hobousers?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to 
> [email protected].
> For more options, visit this group 
> athttp://groups.google.com/group/hobousers?hl=en.

-- 
You received this message because you are subscribed to the Google Groups "Hobo 
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/hobousers?hl=en.

Reply via email to