Maybe I am grasping the full usage of this protect_from_forgery function, but it does not seem to work for me. Imagine the following:
A simple website with a user that needs to log in to do certain stuff and a closed off admin section that only certain users can access that have the is_admin field set to true. So to be clear, my User model has a login, password and is_admin. When displaying the user's 'profile', he can only edit his password. I dont want him editing his own login or ofcourse is_admin status for obvious reasons. Now when I use firebug and inspect the page, I see a neat little field containing the authenticity_token. But here it comes, When I edit the page in firebug, and add a field called user_is_admin and set its value to 1, and then submit, the changes actually go through!! I have now made myself and admin. Isnt protect_from_forgery supposed to protect from this? Obviously in the controller I have kept it simple and did a @user.update_attributes(params[:user]), expecting that the authenticity_token would never allow any params to be posted that I didnt allow through my form. Did I do something wrong implementing this whole thing? I use the default cookie session store and still have the :secret key commented out, like how the project is generated. This is with rails 2.3.2 -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
