Rails, how to submit disabled checkbox with true when checked

5
votes

I'm having trouble working with disabled checkboxes.

I've tried two approaches. first:

= check_box "permissions", "permission_#{row}[create]", {checked: has_permission?(@user, permission, "create")}, 'true', 'false'

This checkbox is disabled inside of the view but also checked, but when submitted it's value in my params looks like this:

"create"=>"false"

So when I update my attributes, created is changed from true to false in my params.

How can I send true to my params instead of false, when a disabled checkbox is checked?

1
htmlruby-on-railsruby-on-rails-4
Try the first one with the disabled flag set to true so like this: <%= check_box "permissions", "permission_#{row}[create]", {checked: has_permission?(@user, permission, "create")}, 'true', 'false', disabled: true %>. That might keep it out of your params. No guarantees though - MCBama
A check box not in your params should be treated as false. Only treat it as true if it is checked. - Matt Stevens
When a html form field is disabled it will not be returned to the server, so it would only send back the value for the hidden field(which would be false) If you wanted to return true for a disabled field you would either need to update the hidden field, or have your own hidden field to send you back the correct value. - FuzzyJulz

1 Answers

2
votes

I suppose the reason why you've disabled those checkboxes in the first place is to make permissions read-only. But it's very easy for someone to remove the disabled flag from the checkbox by using browser debugging tools, set the permissions and submit.

Therefore I would suggest removing these values from params before handing to the model no matter what, for example by excluding them from the allowed parameters, or by issuing splice.

This way you will still be displaying the actual permissions, but ignoring any attempt to change them without authorization.