I'm refactoring an app that uses in_place_edit_for
the controller code looks like:
Address.content_columns.each do |column| in_place_edit_for :address, column.name end
new Ajax.InPlaceEditor('address_street_1234_in_place_editor', '/customer/product/set_address_street/1234')
since there's no set_address_street method in the controller, i guess the in_place_edit_for generates it.
But that would mean, that the controller would accept any call with any id and update the fields? (Even if I check for login with a before filter, a logged in user could change other users data)
So the questions: - Am I right about the security issue here or do I miss something? (didn't read too much docs now) - Can I write my own methods and make in_place_edit_for use them? (Even if this would mean to write one method per attribute) - Or is there an alternative plugin that handles this better?