Protecting pre-filled form fields from being overwritten by user (Rails)

Question

I have a signup form of which most fields are pre-filled using user's Facebook account. I would like to make some fields, like - email, impossible for user to overwrite. Any ideas how to solve this?

Updated: Maybe this will make more sense... What I have is a sign up form, which is:

1. first being pre-filled with information from user's Facebook account,
2. then user has to fill in some extra fields, like password.
3. when form is submitted new user is created using that form data.

What I want is to make sure that the email that I got from Facebook and used to prefill signup form is the same at the time I create a new user record.

I need a way to compare email that I got from Facebook and email that I got when form was submitted, or somehow to forbid user from editing that field.

I was thinking about maybe storing email into users session...but that doesn't sound right...

Thanks!

Answer 1

I would store whatever you want to retain from facebook in the session, as you suggest. Of course you cannot trust anything the user submits so anything you've received on the server side that's important needs to be retained.

There's no reason to provide an input field for email if you don't want them to be able to change it. I would just display it.

You might want to consider using attr_protected :email (or better yet use attr_accessible) on email so you can be sure there are no unintentional updates to the field.

Answer 2

You can disable input fields in the HTML. This stops users from editing the values. However, tools like firebug make it trivial to "hack" it. Most people won't and usually this is enough.

If you really want to enforce it, you'll have to remove the parameters on the serverside, just before you send them to the database. One way is to implement your own dynamic attr_accessible. The other way is to remove them from the params hash.