When adding an Event that belongs_to a place i have a select box and the place_id is in the attr_accessible list
Obviously in the form I am only showing the list of the logged in users places. But is this secure? what if the user fiddled with the form and changed the place_id to a different one, and managed to assign the event to a different users place.
Is there a standard way to limit the accepted values to a attr_accessible attribute (or a rails 4 strong parameters attribute )
You can use cancan gem for authorization and security purpose.
There is a nice railscast by Ryan bates
http://railscasts.com/episodes/192-authorization-with-cancan