On 16 Apr 2008, at 14:57, Thorsten Mueller wrote:
>
> I''m refactoring an app that uses in_place_edit_for
>
> the controller code looks like:
>
> Address.content_columns.each do |column|
> in_place_edit_for :address, column.name
> end
>
> new
Ajax.InPlaceEditor(''address_street_1234_in_place_editor'',
> ''/customer/product/set_address_street/1234'')
>
> since there''s no set_address_street method in the controller, i
guess
> the in_place_edit_for generates it.
>
> But that would mean, that the controller would accept any call with
> any
> id and update the fields? (Even if I check for login with a before
> filter, a logged in user could change other users data)
>
> So the questions:
> - Am I right about the security issue here or do I miss something?
> (didn''t read too much docs now)
> - Can I write my own methods and make in_place_edit_for use them?
> (Even
> if this would mean to write one method per attribute)
in_place_edit_for in the controller is just shorthand for the most
common case. it doesn''t do anything clever, if you look at the source
it''s just:
def in_place_edit_for(object, attribute, options = {})
define_method("set_#{object}_#{attribute}") do
@item = object.to_s.camelize.constantize.find(params[:id])
@item.update_attribute(attribute, params[:value])
render :text => @item.send(attribute).to_s
end
end
All you need to do is create methods with the appropriate name, which
you could do by hand or roll your own version of in_place_edit_for
which checked whatever you want checked.
Fred
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---