The application I am working on is largely based on Michael Hartl's tutorial. The create action for the users controller uses *strong parameters <https://www.railstutorial.org/book/updating_and_deleting_users#sec-revisiting_strong_parameters> *with permitted parameters*. *The 'admin' attribute, for instance, is not included in the permitted parameters, so a malicious user could not send a PATCH request in order to become admin.
My application requires newly created users to make a list of choices on the home page in order to be redirected to a new page, reserved for users who have completed this stage. I thought to add to the User model a new attribute ('member', for instance) which can be toggled inside the create action of the Choice controller (probably with a call of a private method), once the user has completed the number of choices requested. Is this allowed or am I required to revise strong parameters with the new attribute? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/85d37790-57df-4c8d-9ebd-ba0a3e27515f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.