In my app, I have a “User” model, which includes a number of attributes including “has_admin_rights”. If true, the user is an admin, if false, they aren’t.
Each user has a profile, with their login name, email address, profile pic, etc.
If I’m logged in as a regular user, I can click on a page called “profile”, and I can edit my own account, e.g. updating my email address, profile pic, password, whatever. I can ONLY edit my account, and no other.
If I’m logged in as an admin, I can do a little more: for example, I can make ANOTHER user an admin, or take away their admin rights.
Now, only an admin has access to the view where the “make admin” check box appears, but I have a feeling that simply restricting access to the view isn’t sufficient.
What I’m concerned about is, since any user can edit their own profile, what’s there to stop a user from submitting a custom form post, which has in it the “has_admin_rights”=>”1” parameter on their own account – thereby granting themselves admin access?
What I’m thinking is that, in the User controller, before applying any changes to the “has_admin_rights” field, that I need to check to make sure the user making the request is currently an admin – otherwise I ignore the request altogether, and make no changes.
yes, exactly. Never trust the client; remember that anybody can just tweak the page directly with Firebug or whatever.
I’d also suggest that you consider adding an audit trail, and log something whenever one admin makes another user into an admin. Maybe also send email to all the admins for a particular group to let them know that an admin has been created (or that rights have been revoked).