An alternative to using hidden fields in Rails. Security
I am setting up a messaging system where custom posts should always be superuser moderated unless they are a "verified" user (User.verified = true)
I was going to set up a boolean column in the User: checked out model and if that's true then allow them to post and bypass moderation.
So when the user goes to mail ... I know I can easily create a hidden field for the message. For example, in my post form, I could add
<%= f.hidden_field :approved, :value => 1 if current_user.verified == 1 %>
However, I know this is unsafe and anyone can easily use firebug to change this.
What's the best practice for moving this logic into the model / controller, or is there a good resource reference that covers things like this, overriding or changing the default create / update actions?
thank
In the answer below, here's what I now have in my Post model:
#If user is verified, set approved column to true
before_save :check_for_verified
def check_for_verified
approved = user.verified?
end
However, this does not allow me to save now, this is not an error, it simply does not allow me to save.
source to share
Your feeling that this does not apply to opinion is correct.
There are many ways you could do this. One way would be to set up a before_create callback on the model, which sets approval if the user is verified
class Post
before_create :approve_if_user_verified
def approve_if_user_verified
approved = user.verified?
end
source to share