> > This won't protect you from someone forgering a request. You should > check this in the controller, maybe put something like this in the > update method: > """ > user_to_update.admin = params[:admin] unless !logged_in_user.admin? > """ > (and PLEASE do check this code before relying on it, that's off the > top of my head). Doing it this way will make sure that no non-admin > can change the admin status of a user. > > Regards, > > Felix
Thanks Felix, Yeah I don't want to rely on attr_protected and attr_accessible either. I would rather code my own pieces and use those as an extra buffer. Thanks for the input and I'll create a custom check for this and test thoroughly. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
