From 3ec9765ca3f4f37fc33144b7bdf8275d9dcdcb57 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Thu, 14 Nov 2013 11:24:15 -0500
Subject: [PATCH] small update to A7

---
 .../tutorial/access_control/_access_control_first.html.erb    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb
index 832abb1..7dd02ed 100644
--- a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb
+++ b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb
@@ -66,13 +66,13 @@
         </p>  
         <p><b>Failure to Restrict URL Access - SOLUTION</b></p>
         <p class="desc">
-        The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to enforce the filter on all access requests to the admin dashboard as follows:
+        The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to remove the conditional and enforce the filter on all access requests to the admin dashboard as follows:
         </p>
         <pre class="ruby">
         <%= %q{
         class AdminController < ApplicationController
         
-          before_filter :administrative, :if => :admin_param
+          before_filter :administrative
         } %>
         </pre>
         </div>