Field security best practice

Suppose i have a model (userprofile) which may be altered by users and
admins, only 1 field (roll) may only be altered by admins.

of course i can exclude that field from the view if the users is not an
admin, but i suspect this is not very safe because one could fake this
form.

so the only thing i can think of is taking measures in the controller as
well. which is not too handy because it is a long form and i use the
update_atrributes method.

what i dit is to not include this field in params[:userprofile][:roll]
but in params[:roll] by using text_field_tag instead of tex_field.

now i can update all my fields with
@userprofile.update_params(params[:userprofile])
and update the roll field by @userprofiel.roll=params[:roll] if
current_user.roll==“admin”

what is dislike is that i have to take measures at two places (view and
controller) which is not very DRY. Are there better ways? perhaps in the
model?

Regards,

Remco

You’re right, that way it’s not secure.
Even if you fake around with the form, how would you know, that
the data that reachs your server was generated using this form?
Users can throw everything at your server, using simple command line
tools.

Use attr_protected instead:

Then you get exactly the behaviour you want, the
attribute can’t be set with update_attributes, but must
be set manually with update_attribute (or similar methods)