Thank you Kevin. This was exactly what I was looking for. :) On May 21, 12:28 am, kevinpfromnm <[email protected]> wrote: > I was going to say it sounds like a problem I'm having in another > app. Except, for mine, the form shows but the link doesn't. I've got > the same sort of code for another model and it works fine, both parts. > > I finally got it working (sort of) by using attr_protected on the > relationship since the :creator => true handles assigning the owner. > > On May 20, 1:32 pm, atmorell <[email protected]> wrote: > > > > > Update permissions is working perfectly: > > > def create_permitted? > > acting_user.signed_up? > > end > > > def update_permitted? > > acting_user.administrator? || acting_user == self.user > > end > > > But the user can create a new record on the behalf of a another user > > by changing the user_id field with firebug. If I add return false > > unless user_is? acting_user to create_permitted? the create form is > > not shown by hobo. > > > Any ideas? > > > On May 20, 7:25 pm, kevinpfromnm <[email protected]> wrote: > > > > You should set things than like that, that should never happen, in > > > your permissions. > > > > def update_permitted? > > > return false unless user_is? acting_user > > > ... #rest of permissions > > > end > > > > On May 20, 3:47 am, atmorell <[email protected]> wrote: > > > > > Hello, > > > > > How do I avoid that users can change the user_id in the hidden-fields > > > > from firebug. I was surprised that I can log in with a user and create > > > > a record on the behalf of another user by changing the user_id value > > > > with firebug. > > > > > User model: > > > > has_many :arts, :dependent => :destroy > > > > > Art model: > > > > belongs_to :user, :creator => true > > > > > Best regards. > > > > Asbjørn Morell > > > > > -- > > > > You received this message because you are subscribed to the Google > > > > Groups "Hobo Users" group. > > > > To post to this group, send email to [email protected]. > > > > To unsubscribe from this group, send email to > > > > [email protected]. > > > > For more options, visit this group > > > > athttp://groups.google.com/group/hobousers?hl=en. > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "Hobo Users" group. > > > To post to this group, send email to [email protected]. > > > To unsubscribe from this group, send email to > > > [email protected]. > > > For more options, visit this group > > > athttp://groups.google.com/group/hobousers?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Hobo Users" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/hobousers?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Hobo Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group > athttp://groups.google.com/group/hobousers?hl=en.
-- You received this message because you are subscribed to the Google Groups "Hobo Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/hobousers?hl=en.
