Rails - Mar 2005 - Prevent modification for some model attributes

Hi guys,

Lets say I have a model with some attributes that are maintained by
the model itself (like a status based on some business rules). What
would be the best wait to prevent those attributes from being passed
in an update (post), even if they are not part of the form? From what
I understand, there is nothing preventing a malicious user from
setting a <type="hidden" name="user[is_admin]"
value="1"> in his
request.

So, what is the best way?

Thanks.

> Hi guys,
> 
> Lets say I have a model with some attributes that are maintained by
> the model itself (like a status based on some business rules). What
> would be the best wait to prevent those attributes from being passed
> in an update (post), even if they are not part of the form? From what
> I understand, there is nothing preventing a malicious user from
> setting a <type="hidden" name="user[is_admin]"
value="1"> in his
> request.
> 
> So, what is the best way?
Take a look at the attr_accessible and attr_protected class methods of
ActiveRecord:

http://rails.rubyonrails.com/classes/ActiveRecord/Base.html#M000616

They allow/deny (depending on which you use) mass assignment of
attributes, forcing you to set them individually.


-- 
rick
http://techno-weenie.net