Protect attributes not modified during the updates
Reported by Wojciech Ochmański | June 9th, 2009 @ 05:07 PM | in Release 3.2
Currently user is able to change activity owner, change the own
role to admin.
Use: attr_protected, or attr_accessible
Comments and changes to this ticket
-
Piotr Solnica (solnic) June 10th, 2009 @ 10:22 PM
- → Tag changed from “security” to “priority security”
- → State changed from “new” to “open”
- → Milestone changed from “” to “Release 3.1”
-
Piotr Solnica (solnic) June 27th, 2009 @ 08:56 PM
- → Assigned user changed from “MyCo” to “Piotr Solnica (solnic)”
-
Piotr Solnica (solnic) July 18th, 2009 @ 06:17 PM
- → Milestone changed from “Release 3.1” to “Release 3.2”
Access control is only on the controller level, which is unfortunate of course. We will improve that, but in the next release, so I'm moving it to 3.2
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
A Merb-based time tracking and invoicing system
