Colin Law wrote in post #972809: > On 6 January 2011 13:43, Alpha Blue <[email protected]> wrote: >> I would add a custom param called params[:updatable] to both the create >> an update actions of the controller, and pass the values of true from >> create and false from update to the model. The model allows the field to >> be saved if true. > > I don't see what that accomplishes. If the field is not editable in > the view then the value will not be passed in params unless a > hand-crafted post is sent. If a hand-crafted post is sent then it can > include the updatable flag so a malicious person can still modify the > field. I believe that logic in the update action specifically not > allowing the field to be updated from params is the only way.
...and this is why attr_protected sucks so bad. There oughta be an easy way of saying "reject these attributes, but only for certain actions". Unfortunately, Rails doesn't, and perhaps can't, work that way, so we're stuck with clumsy hash merges in the controller. I wonder if a better way is possible. Hmm. > > Colin Best, -- Marnen Laibow-Koser http://www.marnen.org [email protected] Sent from my iPhone -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
