Olek Janiszewski
2013-Jan-17 12:03 UTC
Automatically permit params submitted via a FormBuilder''d form
Hi, I was wondering about transparently permitting parameters submitted through a (signed) form. I assume many people have already had this idea, so maybe there are some caveats which make it a no-go? The idea of moving mass-assignment protection from the M to the VC is great, but the duplication in the views and controllers bothers me. The form rendered with a FormBuilder already has all the information, which fields are permitted. So why not include a hidden input with the field names (and a secure checksum) as part of the form submission? There probably needs to be a lower-level API to declare a field as permitted without rendering it (so that the form can be manipulated on client side with JS), or maybe even conditionally modify the field list in the controller, and probably a million other tweaks, but the simplest solution should work for most cases. Some controllers handling form-less requests (e.g. API requests) would of course still need to explicitly whitelist their params. I''d like to work on it if you guys think that''s a good idea. -- Regards, Olek Janiszewski -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/sCVxeJ9DFnkJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Rafael Mendonça França
2013-Jan-17 12:39 UTC
Re: Automatically permit params submitted via a FormBuilder''d form
Yehuda Katz started an implementation of this feature and found some problems with cached forms. We end up to not implement this for Rails 4. Maybe he can give more information about the problems. Rafael Mendonça França http://twitter.com/rafaelfranca https://github.com/rafaelfranca On Thu, Jan 17, 2013 at 10:03 AM, Olek Janiszewski < olek.janiszewski@gmail.com> wrote:> Hi, > > I was wondering about transparently permitting parameters submitted > through a (signed) form. I assume many people have already had this idea, > so maybe there are some caveats which make it a no-go? > > The idea of moving mass-assignment protection from the M to the VC is > great, but the duplication in the views and controllers bothers me. The > form rendered with a FormBuilder already has all the information, which > fields are permitted. So why not include a hidden input with the field > names (and a secure checksum) as part of the form submission? > > There probably needs to be a lower-level API to declare a field as > permitted without rendering it (so that the form can be manipulated on > client side with JS), or maybe even conditionally modify the field list in > the controller, and probably a million other tweaks, but the simplest > solution should work for most cases. Some controllers handling form-less > requests (e.g. API requests) would of course still need to explicitly > whitelist their params. > > I''d like to work on it if you guys think that''s a good idea. > > -- > Regards, > Olek Janiszewski > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-core/-/sCVxeJ9DFnkJ. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Olek Janiszewski
2013-Jan-17 16:21 UTC
Re: Automatically permit params submitted via a FormBuilder''d form
> Yehuda Katz started an implementation of this feature and found someproblems with cached forms. We end up to not implement this for Rails 4.> Maybe he can give more information about the problems.Thanks Rafael. I''m curious about the problems that Yehuda ran into. I''ve been thinking about caching as well, but I can''t think of a situation where it may be a problem - after all, the fields list and the checksum should be a function of the form inputs and the server-side secret, not cookies, the session or anything else request-specific. What am I missing? -- Regards, Olek Janiszewski>-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/qNm3hTE8oH4J. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.