Now when I use firebug and inspect the page, I see a neat little field
containing the authenticity_token.
But here it comes,
When I edit the page in firebug, and add a field called user_is_admin
and set its value to 1, and then submit, the changes actually go
through!! I have now made myself and admin.
Isnt protect_from_forgery supposed to protect from this? Obviously in
the controller I have kept it simple and did a
@user.update_attributes(params[:user]), expecting that the
authenticity_token would never allow any params to be posted that I
didnt allow through my form.
The forgery protect_from_forgery protects against is cross site
request forgery, ie. completely unrelated to the problem you're
tackling. You may be interested in attr_protected/attr_accessible.