Suppose i have a model (userprofile) which may be altered by users and
admins, only 1 field (roll) may only be altered by admins.
of course i can exclude that field from the view if the users is not an
admin, but i suspect this is not very safe because one could fake this
form.
so the only thing i can think of is taking measures in the controller as
well. which is not too handy because it is a long form and i use the
update_atrributes method.
what i dit is to not include this field in params[:userprofile][:roll]
but in params[:roll] by using text_field_tag instead of tex_field.
now i can update all my fields with
@userprofile.update_params(params[:userprofile])
and update the roll field by @userprofiel.roll=params[:roll] if
current_user.roll==“admin”
what is dislike is that i have to take measures at two places (view and
controller) which is not very DRY. Are there better ways? perhaps in the
model?
Regards,
Remco