I'm a Rails beginner and currently reading Michael Hartl's Rails 3 Tutorial and have a question that I'm really curious about:
In the context of creating an admin user and some other 99 normal users via 'faker', Hartl explains why it would be a bad idea to add ":admin" to the attr_accessible in the user model and thus add "admin: true" to the initialization hash in the 'faker' test code. Instead he explains that one should use "toggle!(:admin)" and avoid adding ":admin" to the accessible attributes because otherwise malicious users could directly send a PUT request like "PUT /users/17?admin=1".
http://ruby.railstutorial.org/book/ruby-on-rails-tutorial#sec:revisiting_attr_accessible
So, following Hartl's advise my admin boolean now is secure but what about my other user attributes such as name, email, which ARE defined as accessible attributes? Does this mean that malicious users could easily change these attributes via a PUT request similar to the one above? In the Tutorial, Hartl speaks of a command-line tool named curl that could issue such PUT request forms. I don't really want to try this with my sample app, my question just is, am I overlooking something or could a malicious PUT request such as "put /users/17?name='new_name'"?
Thank you in advance if anyone will answer my question!
http://stackoverflow.com/faq#howtoask
– EricM