Rails, how to submit disabled checkbox with true when checked

Question

I'm having trouble working with disabled checkboxes.

I've tried two approaches. first:

= check_box "permissions", "permission_#{row}[create]", {checked: has_permission?(@user, permission, "create")}, 'true', 'false'

This checkbox is disabled inside of the view but also checked, but when submitted it's value in my params looks like this:

"create"=>"false"

So when I update my attributes, created is changed from true to false in my params.

How can I send true to my params instead of false, when a disabled checkbox is checked?

Answer 1

I suppose the reason why you've disabled those checkboxes in the first place is to make permissions read-only. But it's very easy for someone to remove the disabled flag from the checkbox by using browser debugging tools, set the permissions and submit.

Therefore I would suggest removing these values from params before handing to the model no matter what, for example by excluding them from the allowed parameters, or by issuing splice.

This way you will still be displaying the actual permissions, but ignoring any attempt to change them without authorization.