Closed sheerun closed 11 years ago
.. and this will give you false feeling of security ...
Agree with @teamon, using dumb tricks doesn't improve security.
You missed part about STI. And this is not dumb trick, I gave you specific example.
If you have only admin?
on User
class there is not STI. Following this way of thinking we should put everything in separate tables, like account.owner_id = my_id
and others. user.admin = true
is not a special case here.
For an attacker it's easier to change
user.admin = true
(for example when application doesn't use strong_parameters or whitelisted attributes), then add new Admin record.Besides, when Admin and User are on the same table, STI is used, which sucks.