Am 09.07.2009 um 15:32 schrieb Älphä Blüë:
> > Frederick Cheung wrote: >> On Jul 9, 3:18�pm, "�lph� Bl��" <rails-mailing- >> [email protected]> >> wrote: >>> >>> If I set this to attr_protected :admin >>> >>> .. I'm unable to access that attribute and won't be able to update >>> my >>> admins.. >> >> Not quite true. it means that you can't do >> some_user.update_attributes >> (:admin => true). >> >> You can however do some_user.admin = true >> >> The attr_accessible/attr_protected mechanism is a bit of a blunt >> tool. >> There has been some discussion about revisiting this for rails 3 >> >> Fred > > Thanks for the clarification Fred. So, how would I implement this > in my > edit view template? Or, are you stating it can't be done there but > somewhere else? > > <%= f.label :admin? %><br /> > <%= f.check_box :admin %> This won't protect you from someone forgering a request. You should check this in the controller, maybe put something like this in the update method: """ user_to_update.admin = params[:admin] unless !logged_in_user.admin? """ (and PLEASE do check this code before relying on it, that's off the top of my head). Doing it this way will make sure that no non-admin can change the admin status of a user. Regards, Felix --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
