protect_from_forgery doesnt protect from forgery

Now when I use firebug and inspect the page, I see a neat little field
containing the authenticity_token.

But here it comes,

When I edit the page in firebug, and add a field called user_is_admin
and set its value to 1, and then submit, the changes actually go
through!! I have now made myself and admin.

Isnt protect_from_forgery supposed to protect from this? Obviously in
the controller I have kept it simple and did a
@user.update_attributes(params[:user]), expecting that the
authenticity_token would never allow any params to be posted that I
didnt allow through my form.

The forgery protect_from_forgery protects against is cross site
request forgery, ie. completely unrelated to the problem you're
tackling. You may be interested in attr_protected/attr_accessible.


The current solution is a trade-off: it is a simple solution that
covers most use cases. Often the account_id of your User model is
protected, period. That's what the current design supports.

There was a recent discussion in the core mailing list about possible
ways to make this a little more flexible:

but no conclusion except for some workarounds to the current solution
when you need them.