If I’m not mistaken, a user can send POST data from outside of a web
browser; I think this is something that is done to brute-force form
logins, or to automate spam, etc.
In my app, which operates like a forum, Comment objects have a boolean
attribute “sticky” which determines if that Comment is displayed before
all other comments.
I was thinking, what would happen if a user forcefully sent “sticky =>
true” in POST data? I would imagine my app’s new_comment action would
simply create a new object from that data and falsely make his or her
post a sticky-post. Is this a possibility, and is it something I should
be trying to prevent? Just something I recently pondered.