I am using HABTM checkboxes as described here:
http://railscasts.com/episodes/17-habtm-checkboxes
Problem is not all categories are available for a project, but using this method a user can inspect the code in their browser, and change the category ids before submitting.
How can I prevent this exploit? the only option I see is to brute force loop through all category ids while comparing them to a list of valid category ids, and reject those that don't match.
Thanks
I would suggest adding a validation to your Project model. It should check that the categories assigned to the project are available to be assigned to that project. Then the controller can show a validation error to the user.
class Project < ActiveRecord::Base
validates :categories_are_available
private
def categories_are_available
# code that checks available categories
end
end