保护预填写的表单字段不被用户覆盖 (Rails)

发布于 2024-10-07 09:25:45 字数 463 浏览 6 评论 0原文

我有一个注册表单,其中大部分字段都是使用用户的 Facebook 帐户预先填写的。我想让一些字段,比如电子邮件,用户无法覆盖。有什么想法如何解决这个问题吗?

更新: 也许这会更有意义......我有一个注册表单,它是:

  1. 首先预先填写用户 Facebook 帐户的信息,
  2. 然后用户必须填写一些额外的字段,例如密码。
  3. 提交表单时,将使用该表单数据创建新用户。

我想要的是确保我从 Facebook 收到并用于预填写注册表单的电子邮件与我创建新用户记录时相同。

我需要一种方法来比较从 Facebook 收到的电子邮件和提交表单时收到的电子邮件,或者以某种方式禁止用户编辑该字段。

我正在考虑也许将电子邮件存储到用户会话中...但这听起来不对...

谢谢!

I have a signup form of which most fields are pre-filled using user's Facebook account. I would like to make some fields, like - email, impossible for user to overwrite. Any ideas how to solve this?

Updated:
Maybe this will make more sense... What I have is a sign up form, which is:

  1. first being pre-filled with information from user's Facebook account,
  2. then user has to fill in some extra fields, like password.
  3. when form is submitted new user is created using that form data.

What I want is to make sure that the email that I got from Facebook and used to prefill signup form is the same at the time I create a new user record.

I need a way to compare email that I got from Facebook and email that I got when form was submitted, or somehow to forbid user from editing that field.

I was thinking about maybe storing email into users session...but that doesn't sound right...

Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

农村范ル 2024-10-14 09:25:45

您可以禁用 HTML 中的输入字段。这会阻止用户编辑值。然而,像 firebug 这样的工具使得“破解”它变得微不足道。大多数人不会,通常这就足够了。

如果您确实想强制执行它,则必须在将参数发送到数据库之前删除服务器端的参数。一种方法是实现您自己的动态 attr_accessible。另一种方法是将它们从 params 哈希中删除。

You can disable input fields in the HTML. This stops users from editing the values. However, tools like firebug make it trivial to "hack" it. Most people won't and usually this is enough.

If you really want to enforce it, you'll have to remove the parameters on the serverside, just before you send them to the database. One way is to implement your own dynamic attr_accessible. The other way is to remove them from the params hash.

时光暖心i 2024-10-14 09:25:45

正如你所建议的,我会在会话中存储你想从 Facebook 保留的任何内容。当然,您不能信任用户提交的任何内容,因此您在服务器端收到的任何重要内容都需要保留。

如果您不希望他们能够更改电子邮件的输入字段,则没有理由提供该输入字段。我只会显示它。

您可能需要考虑在电子邮件上使用 attr_protected :email (或者更好的是使用 attr_accessible),这样您就可以确保该字段不会出现意外更新。

I would store whatever you want to retain from facebook in the session, as you suggest. Of course you cannot trust anything the user submits so anything you've received on the server side that's important needs to be retained.

There's no reason to provide an input field for email if you don't want them to be able to change it. I would just display it.

You might want to consider using attr_protected :email (or better yet use attr_accessible) on email so you can be sure there are no unintentional updates to the field.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文