On 6 January 2011 14:04, Alpha Blue <[email protected]> wrote: > Colin Law wrote in post #972809: >> I don't see what that accomplishes. If the field is not editable in >> the view then the value will not be passed in params unless a >> hand-crafted post is sent. If a hand-crafted post is sent then it can >> include the updatable flag so a malicious person can still modify the >> field. I believe that logic in the update action specifically not >> allowing the field to be updated from params is the only way. >> >> Colin > > You can merge the params from the controller action and the one supplied > from the controller will be the one the model applies. If you are > setting the param to false from the controller action before it gets > sent to the model, how can it be true? It can't.
I think I misunderstood what you meant, you said: > I would add a custom param called params[:updatable] to both the create > an update actions of the controller, and pass the values of true from > create and false from update to the model. The model allows the field to > be saved if true. I thought you meant pass :updatable from the view to the create and update actions, but perhaps you meant just set them in the controller action and then pass them to the model. In that case how would you interrogate :updatable in the model, given that update_attributes will be used to do the update? Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
