in_place_editor & security

I'm refactoring an app that uses in_place_edit_for

the controller code looks like:

Address.content_columns.each do |column|   in_place_edit_for :address, column.name end

new Ajax.InPlaceEditor('address_street_1234_in_place_editor', '/customer/product/set_address_street/1234')

since there's no set_address_street method in the controller, i guess the in_place_edit_for generates it.

But that would mean, that the controller would accept any call with any id and update the fields? (Even if I check for login with a before filter, a logged in user could change other users data)

So the questions: - Am I right about the security issue here or do I miss something? (didn't read too much docs now) - Can I write my own methods and make in_place_edit_for use them? (Even if this would mean to write one method per attribute) - Or is there an alternative plugin that handles this better?

in_place_edit_for in the controller is just shorthand for the most common case. it doesn't do anything clever, if you look at the source it's just:

     def in_place_edit_for(object, attribute, options = {})        define_method("set_#{object}_#{attribute}") do          @item = object.to_s.camelize.constantize.find(params[:id])          @item.update_attribute(attribute, params[:value])          render :text => @item.send(attribute).to_s        end      end

All you need to do is create methods with the appropriate name, which you could do by hand or roll your own version of in_place_edit_for which checked whatever you want checked.

Fred