> Now when I use firebug and inspect the page, I see a neat little field
> containing the authenticity_token.
>
> But here it comes,
>
> When I edit the page in firebug, and add a field called user_is_admin
> and set its value to 1, and then submit, the changes actually go
> through!! I have now made myself and admin.
>
> Isnt protect_from_forgery supposed to protect from this? Obviously in
> the controller I have kept it simple and did a
> @user.update_attributes(params[:user]), expecting that the
> authenticity_token would never allow any params to be posted that I
> didnt allow through my form.
The forgery protect_from_forgery protects against is cross site
request forgery, ie. completely unrelated to the problem you're
tackling. You may be interested in attr_protected/attr_accessible.
Fred
>
> Did I do something wrong implementing this whole thing? I use the
> default cookie session store and still have the :secret key commented
> out, like how the project is generated.
>
> This is with rails 2.3.2
> --
> Posted viahttp://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
