You could always do it manually by encoding the ids in questions and storing the encoding in the form as well. On form validation, you could just ensure that the encoded string and the non-encoded string match up. That way, a hacker would need to change both strings to get the thing to work. Would that work or were you looking for something less manual like a gem or whatever?
On Wed, Aug 19, 2009 at 7:32 AM, Frederick Cheung < [email protected]> wrote: > > > > On Aug 19, 12:07 pm, Mukund <[email protected]> wrote: > > You can enable the :protect_from_forgery which puts in an authenticity > > token with every form. This is on by default in the new version of > > Rails. This is a random ID tied down with the session. This is not > > the same as what you are looking for, but it will probably suffice. > > > Actually i think it is completely different. That is protection from > csrf attacts, whereas Trausti is (I think) concerned about a user > editing the page to change the value of a hidden field or things like > that. > > Fred > > On Aug 19, 2:47 pm, Trausti Thor Johannsson <[email protected]> > > wrote: > > > > > > > > > In cakephp, you have Secure component. It takes certain form values > > > like id and User_id and such and encodes them. > > > How is this done in rails ? I don't want the user to change ids on > > > items for deletions and such. > > > > > Trausti > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
