The application I am working on is largely based on Michael Hartl’s tutorial.
The create action for the users controller uses strong parameters with permitted parameters*.* The ‘admin’ attribute, for instance, is not included in the permitted parameters, so a malicious user could not send a
PATCH request in order to become admin.
My application requires newly created users to make a list of choices on the home page in order to be redirected to a new page, reserved for users who have completed this stage.
I thought to add to the User model a new attribute (‘member’, for instance) which can be toggled inside the create action of the Choice controller (probably with a call of a private method), once the user has completed the number of choices requested.
Is this allowed or am I required to revise strong parameters with the new attribute?