An alternative to using hidden fields in Rails. Security

Question

An alternative to using hidden fields in Rails. Security

I am setting up a messaging system where custom posts should always be superuser moderated unless they are a "verified" user (User.verified = true)

I was going to set up a boolean column in the User: checked out model and if that's true then allow them to post and bypass moderation.

So when the user goes to mail ... I know I can easily create a hidden field for the message. For example, in my post form, I could add

<%= f.hidden_field :approved, :value => 1 if current_user.verified == 1 %>

However, I know this is unsafe and anyone can easily use firebug to change this.

What's the best practice for moving this logic into the model / controller, or is there a good resource reference that covers things like this, overriding or changing the default create / update actions?

thank

In the answer below, here's what I now have in my Post model:

#If user is verified, set approved column to true
before_save :check_for_verified

def check_for_verified
    approved = user.verified?
end

However, this does not allow me to save now, this is not an error, it simply does not allow me to save.

+3

ruby-on-rails ruby-on-rails-3

Joel grannas 18 Feb 13 at 20:27

source to share

1 answer

Doug R · Accepted Answer · 2013-02-18T20:32:04+0000

Your feeling that this does not apply to opinion is correct.

There are many ways you could do this. One way would be to set up a before_create callback on the model, which sets approval if the user is verified

class Post

before_create :approve_if_user_verified

def approve_if_user_verified
  approved = user.verified?
end

An alternative to using hidden fields in Rails. Security

More articles: