Suppose i have a model (userprofile) which may be altered by users and admins, only 1 field (roll) may only be altered by admins. of course i can exclude that field from the view if the users is not an admin, but i suspect this is not very safe because one could fake this form. so the only thing i can think of is taking measures in the controller as well. which is not too handy because it is a long form and i use the update_atrributes method. what i dit is to not include this field in params[:userprofile][:roll] but in params[:roll] by using text_field_tag instead of tex_field. now i can update all my fields with @userprofile.update_params(params[:userprofile]) and update the roll field by @userprofiel.roll=params[:roll] if current_user.roll=="admin" what is dislike is that i have to take measures at two places (view and controller) which is not very DRY. Are there better ways? perhaps in the model? Regards, Remco -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You''re right, that way it''s not secure. Even if you fake around with the form, how would you know, that the data that reachs your server was generated using this form? Users can throw everything at your server, using simple command line tools. Use attr_protected instead: http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M001315 Then you get exactly the behaviour you want, the attribute can''t be set with update_attributes, but must be set manually with update_attribute (or similar methods) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---