There are certain user fields that I have hidden using CSS.
However they could still be updated using rails console, api or dev tools.
How do I ensure that nobody can update these fields (for example website or location) using aforementioned methods?
Write a plugin to change the API (ie override the Controllers, Model or the associated library functions)
This is very unlikely btw, only admins will get to the Rails console.
3 Likes
If you are hiding the display of these values, what does it matter if they fill them in? It would require some user contriving to add a location and another user would need to contrive to visit their profile and see what they had entered.
Short of forking Discourse to remove those fields from the model, there isn’t much way to keep someone with access to the rails console entering data in them.
You could write a plugin that would run periodically and set whatever fields you want to nil. Or you could have a hook that gets called when the user profile is updated that nils out those fields. Look for a plugin in GitHub - discourse/all-the-plugins that has an “add_model_callback” and “:before_save” for some examples. And then you’d do it for UserProfile.
3 Likes