> That way, at least the behavior would be clear. The fact that
> update_attribute appears to work but doesn't actually work is the
> "bug" in my mind. I'd prefer to make it actually work, but the options
> I explored may end up being more problematic than are justified by the
> issue at hand.
I
> Authentication belongs to the controller. Securing models should
> belong in the validation cycle, ensuring that *all* code hitting the
> models goes through the same security validation process.
Gaspard, I'd argue that the issue at hand is authorization, and not
necessarily validation. A set
On Mar 1, 11:32 pm, Trevor Turk wrote:
> If I don't hear any objections I'll try to work up a patch with doc
> fixes tomorrow and create a Lighthouse ticket.
I've done some research and added a new file to the original gist:
http://gist.github.com/70955
You're probably best off viewing it here
I was wondering what the status was with the various acts plugins. Are
they just being patched for security issues like the in place editing
plugin was the other day or are they still having new features added.
I'm asking because I forked the acts_as_list plugin to add support for
specifyi
It's not possible to use absolute path locations for layouts anymore.
Before trying to patch this, I'd like to understand why this has been removed.
Is there a good reason we have absolute paths for templates but not
for the layout ? Is there any way to work around this ?
Thanks for any advice
I think we are touching a deeper problem here apart from the
accessible/protected issue. From the start we realized that we need to
store valid models in the database so we wrote validations. Strangely,
it did not occur to us that security issues are part of the validation
process. They are not so
