On Thu, Jun 11, 2009 at 8:36 PM, Chrisis<[email protected]> wrote:
> The form fields I specify in the form are the only fields the user is > allowed to change on that particular entry point. Why dont we take > this given as leading and mould our controllers and models to this set > of allowed fields? Imagine a multi-account invoicing application that has a customer selector in the form for invoice creation. That customer_id has to be protected to prevent users from injecting customer_ids belonging to other accounts. Yet it belongs to the form. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
