On 26 Feb 2011, at 15:31, Mauro wrote:
I know it's a good practice setting attr_accesible for models. As an example if I have a model with admin: boolean attribute and if I don't set attr_accessible, a user can do: put /users/17?admin=1 making user 17 an admin. But if I have attr_accessible set and I want to create new users with a html form, how can I set admin true or false? I have to do an update directly in the database?
Indeed, if you protect the admin boolean from mass assignment, it's up to you to assign it. You can still use the incoming params to determine if you need to set it or not, but you'll probably want to verify if the user has the permissions to do that.
Best regards Peter De Berdt -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
