I am creating a forum software. I want admins and mods to be able to close certain topics.
Codes are sanitized to show only relevant info.
Models
class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation, :bio has_many :topics, dependent: :destroy end class Topic < ActiveRecord::Base belongs_to :user attr_accessible :name, :last_post_id, :content end Schema for user: admin and mod columns determine admins and mods.
create_table "users", :force => true do |t| t.string "name" t.string "email" t.datetime "created_at", :null => false t.datetime "updated_at", :null => false t.string "password_digest" t.string "remember_token" t.boolean "admin", :default => false t.text "bio" t.boolean "mod", :default => false end Schema for topic: closed column determines topic's closed status.
create_table "topics", :force => true do |t| t.datetime "created_at", :null => false t.datetime "updated_at", :null => false t.integer "forum_id" t.string "name" t.integer "last_post_id" t.integer "views" t.integer "user_id" t.boolean "closed", :default => false t.text "content" end I am reluctant to user attr_accessible :closed for TOPIC model because it will be vulnerable to malicious PUT request (correct me if I am wrong).
Is there some way for Rails app to be able to access and modify value of closed column of TOPIC without using attr_accessible, so that only mods and admins can edit them?
