Colin Law wrote in post #972809: > I don't see what that accomplishes. If the field is not editable in > the view then the value will not be passed in params unless a > hand-crafted post is sent. If a hand-crafted post is sent then it can > include the updatable flag so a malicious person can still modify the > field. I believe that logic in the update action specifically not > allowing the field to be updated from params is the only way. > > Colin
You can merge the params from the controller action and the one supplied from the controller will be the one the model applies. If you are setting the param to false from the controller action before it gets sent to the model, how can it be true? It can't. Also, you don't have to just supply a param, you can also supply a param and a conditional like you suggested on new_record. Either way works. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
