3

I am using simple_form 2.0. I have a Boolean field 'stock' which I am trying to submit as radio buttons.

<%= f.input :stock , :as => :radio_buttons, :collection => [['Purchase Indent', false],
['Stock', true]], label:"Shipments From" , :disabled => true%>

The stock is marked as false before rendering the form.

Before submitting the form

Once I submit the form the stock itself is missing from the parameter and I get this error.

After submitting the form.

Because I am validating stock's inclusion.

validates_inclusion_of :stock, :in => [true, false]

It works fine if i don't disable the field. But I don't want user to be able to change it. Please help.

Update

The reason is that, the disabled fields are never sent.
http://www.w3.org/TR/html401/interact/forms.html#h-17.12

Seems like making it read-only will help.
https://github.com/plataformatec/simple_form/pull/367

But, the news is radio buttons can't be made read only.
Why can't radio buttons be "readonly"?

Community
  • 1
  • 1
Bot
  • 1,001
  • 2
  • 13
  • 32

2 Answers2

1

One option is to separate the buttons and only disable the unselected option:

<%= f.input :stock , :as => :radio_buttons, collection: [['Purchase Indent', false]], label:"Shipments From" %>
<%= f.input :stock , :as => :radio_buttons, collection: [['Stock', true]], label:"" , :disabled => true %>

Another option would be to add a hidden input with the desired value.

Sim0n222
  • 106
  • 4
  • It's not that stock true should always be disabled. The value of stock variable is set in controller. It should be like, both the radio buttons should be displayed, but shouldn't be allowed to change. – Bot Dec 20 '13 at 09:30
  • Could you add a hidden input with the desired value and disable the radio buttons? – Sim0n222 Dec 20 '13 at 15:26
1

Remember not to trust user submitted data. I don't think you should build it like this, because a hacker can just change the HTML / submit an artificial request even if you disable the form elements. Hidden form elements don't fix this, as anyone with a dom explorer can change the values. Of course, if your model checks and rejects this kind of thing it's not such a big problem.

So to fix the particular problem, just do the visuals as you have already, and re-insert the expected value in your controller's update or create action.

For more info there's lots online e.g. owasp, but I liked the book "How to break web software" from a few years back by some guys at Google.

nruth
  • 1,068
  • 7
  • 22