I’m refactoring an app that uses in_place_edit_for
the controller code looks like:
Address.content_columns.each do |column|
in_place_edit_for :address, column.name
end
new Ajax.InPlaceEditor(‘address_street_1234_in_place_editor’,
‘/customer/product/set_address_street/1234’)
since there’s no set_address_street method in the controller, i guess
the in_place_edit_for generates it.
But that would mean, that the controller would accept any call with any
id and update the fields? (Even if I check for login with a before
filter, a logged in user could change other users data)
So the questions:
- Am I right about the security issue here or do I miss something?
(didn’t read too much docs now)
- Can I write my own methods and make in_place_edit_for use them? (Even
if this would mean to write one method per attribute)
- Or is there an alternative plugin that handles this better?
On 16 Apr 2008, at 14:57, Thorsten M. wrote:
‘/customer/product/set_address_street/1234’)
- Am I right about the security issue here or do I miss something?
(didn’t read too much docs now)
- Can I write my own methods and make in_place_edit_for use them?
(Even
if this would mean to write one method per attribute)
in_place_edit_for in the controller is just shorthand for the most
common case. it doesn’t do anything clever, if you look at the source
it’s just:
def in_place_edit_for(object, attribute, options = {})
define_method("set_#{object}_#{attribute}") do
@item = object.to_s.camelize.constantize.find(params[:id])
@item.update_attribute(attribute, params[:value])
render :text => @item.send(attribute).to_s
end
end
All you need to do is create methods with the appropriate name, which
you could do by hand or roll your own version of in_place_edit_for
which checked whatever you want checked.
Fred