Using Widget.restrict!(user).create!(params) allows creation even when not allowed.

inossidabile / protector

Comfortable (seriously) white-list security restrictions for models on a field level

MIT License

270 stars 31 forks source link

Closed Altonymous closed 11 years ago

Altonymous commented 11 years ago

Does not block creation when meant to:

@widget = Widget.restrict!(current_user).create!(widget_params)

Does block creation when meant to:

@widget = Widget.new(widget_params).restrict!(current_user).save!