In going through the code to find similar URL-fishing holes to the one the NYC group used to break the dev site, I've done some thinking about whether we need to add an "admin" bit for members, or something. Obviously, we can use constraints and filters to protect against most actions, but there are certain operations (like deleting locations, or cleaning up spam articles/events/whatever) that really only make sense for a "privileged" user.
So, should we add such a flag to the user model, and an interface for admins to grant and revoke other admins' privs, or stick to using the console and/or a password-protected alternate site running a bare scaffold to manage the messy bits? -- Lennon rcoder.net _______________________________________________ PdxRuby-dev mailing list [email protected] http://lists.pdxruby.org/mailman/listinfo/pdxruby-dev
