Rails - Jul 2005 - RE: item = collection.build/ attributes =params/ item.save.Protection against collection_id being set in params?

I believe it will not stop a hacker 

I expect you will have to do:

item.user = @user

to be sure that the item user_id is not ''hacked''

-----Original Message-----
From: rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
[mailto:rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org] On
Behalf Of Nicholas Lee
Sent: Monday, 18 July 2005 3:58 PM
To: rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
Subject: [Rails] item = collection.build/ attributes =params/
item.save.Protection against collection_id being set in params?

Is this:
    item = @user.todos.build
    item.attributes = @params["new_item"]
    item.save

going to stop attacker from inserting some user_id into @params[]?

Or will this have to be explicit checked before saving?

--
Nicholas Lee
http://stateless.geek.nz
gpg 8072 4F86 EDCD 4FC1 18EF  5BDD 07B0 9597 6D58 D70C
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

On 7/18/05, Neville Burnell
<Neville.Burnell-uEDVyssJ3mUpAS55Wn97og@public.gmane.org>
wrote:
> I believe it will not stop a hacker
> 
> I expect you will have to do:
> 
> item.user = @user
> 
> to be sure that the item user_id is not ''hacked''
I was thinking that would be the case. Which is a shame, as it might
be subtle bug that might get people.

I was thinking on the way to the airport to pick someone up that this
might be a better method:

     @params["new_item"][:user_id] = nil
     item = @user.todos.build
     item.attributes = @params["new_item"]
     item.save

-- 
Nicholas Lee
http://stateless.geek.nz
gpg 8072 4F86 EDCD 4FC1 18EF  5BDD 07B0 9597 6D58 D70C