I might be missing something here, but it seems as if the conventions
used when building forms in Rails apps leave a lot of open holes for
people to mess things up. For instance, let's say I have a multi-user
community app with a simple user profile page where users can edit
their profile. Not uncommon.
Now, on that page they can change things like their name, web site, IM
info, etc. But with what seems to be standard practice of updating that
info, as so...
@user = User.find(params[:id])
...it seems like you are open for major problems. Let's say you have a
role field on your model. It seems trivial to have someone inject their
own form data into the headers to add the equivalent of...
<input id="user_role" name="user[role]" type="hidden"
...and have that be passed along with the .update_attributes method. Am
Is there some common practice of protecting against this that I am just
missing? And if this isn't common practice, it should be, shouldn't it?
There is the obvious blunt route of being super-careful and checking
every field of the model, regardless of whether it's on the form or
not, but I don't see that being practiced, so I thought maybe I'm