Thank you Kevin. This was exactly what I was looking for. :)

On May 21, 12:28 am, kevinpfromnm <[email protected]> wrote:
> I was going to say it sounds like a problem I'm having in another
> app.  Except, for mine, the form shows but the link doesn't.  I've got
> the same sort of code for another model and it works fine, both parts.
>
> I finally got it working (sort of) by using attr_protected on the
> relationship since the :creator => true handles assigning the owner.
>
> On May 20, 1:32 pm, atmorell <[email protected]> wrote:
>
>
>
> > Update permissions is working perfectly:
>
> >   def create_permitted?
> >     acting_user.signed_up?
> >   end
>
> >   def update_permitted?
> >     acting_user.administrator? || acting_user == self.user
> >   end
>
> > But the user can create a new record on the behalf of a another user
> > by changing the user_id field with firebug. If I add return false
> > unless user_is? acting_user  to create_permitted? the create form is
> > not shown by hobo.
>
> > Any ideas?
>
> > On May 20, 7:25 pm, kevinpfromnm <[email protected]> wrote:
>
> > > You should set things than like that, that should never happen, in
> > > your permissions.
>
> > > def update_permitted?
> > >   return false unless user_is? acting_user
> > >   ... #rest of permissions
> > > end
>
> > > On May 20, 3:47 am, atmorell <[email protected]> wrote:
>
> > > > Hello,
>
> > > > How do I avoid that users can change the user_id in the hidden-fields
> > > > from firebug. I was surprised that I can log in with a user and create
> > > > a record on the behalf of another user by changing the user_id value
> > > > with firebug.
>
> > > > User model:
> > > >   has_many :arts, :dependent  => :destroy
>
> > > > Art model:
> > > >   belongs_to :user, :creator => true
>
> > > > Best regards.
> > > > Asbjørn Morell
>
> > > > --
> > > > You received this message because you are subscribed to the Google 
> > > > Groups "Hobo Users" group.
> > > > To post to this group, send email to [email protected].
> > > > To unsubscribe from this group, send email to 
> > > > [email protected].
> > > > For more options, visit this group 
> > > > athttp://groups.google.com/group/hobousers?hl=en.
>
> > > --
> > > You received this message because you are subscribed to the Google Groups 
> > > "Hobo Users" group.
> > > To post to this group, send email to [email protected].
> > > To unsubscribe from this group, send email to 
> > > [email protected].
> > > For more options, visit this group 
> > > athttp://groups.google.com/group/hobousers?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "Hobo Users" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to 
> > [email protected].
> > For more options, visit this group 
> > athttp://groups.google.com/group/hobousers?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to 
> [email protected].
> For more options, visit this group 
> athttp://groups.google.com/group/hobousers?hl=en.

-- 
You received this message because you are subscribed to the Google Groups "Hobo 
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/hobousers?hl=en.

Reply via email to