In_place_editor & security

I’m refactoring an app that uses in_place_edit_for

the controller code looks like:

Address.content_columns.each do |column|
in_place_edit_for :address, column.name
end

new Ajax.InPlaceEditor(‘address_street_1234_in_place_editor’,
‘/customer/product/set_address_street/1234’)

since there’s no set_address_street method in the controller, i guess
the in_place_edit_for generates it.

But that would mean, that the controller would accept any call with any
id and update the fields? (Even if I check for login with a before
filter, a logged in user could change other users data)

So the questions:

  • Am I right about the security issue here or do I miss something?
    (didn’t read too much docs now)
  • Can I write my own methods and make in_place_edit_for use them? (Even
    if this would mean to write one method per attribute)
  • Or is there an alternative plugin that handles this better?

On 16 Apr 2008, at 14:57, Thorsten M. wrote:

‘/customer/product/set_address_street/1234’)

  • Am I right about the security issue here or do I miss something?
    (didn’t read too much docs now)
  • Can I write my own methods and make in_place_edit_for use them?
    (Even
    if this would mean to write one method per attribute)

in_place_edit_for in the controller is just shorthand for the most
common case. it doesn’t do anything clever, if you look at the source
it’s just:

 def in_place_edit_for(object, attribute, options = {})
   define_method("set_#{object}_#{attribute}") do
     @item = object.to_s.camelize.constantize.find(params[:id])
     @item.update_attribute(attribute, params[:value])
     render :text => @item.send(attribute).to_s
   end
 end

All you need to do is create methods with the appropriate name, which
you could do by hand or roll your own version of in_place_edit_for
which checked whatever you want checked.

Fred