ruby on rails params injection
- by Julien P.
Hello everyone,
I have a question about ruby on rails and the process of assigning variables using the params variable passed through a form
class User
attr_accessible :available_to_admins, :name
end
Let's say that I have a field that is only available to my admins. Assuming that you are not an admin, I am going to not display the available_to_admins input in your form.
After that, when I want to save your data I'll just do a:
User.update_attributes(params[:user])
If you are an admin, then no problem, the params[:user] is going to contain name and available_tu_admins and if you're not then only your name.
Since the available_to_admins is an attr_accessible parameter, how should I prevent non admin users from being able to inject a variable containing the available_to_admins input with their new value?