I know this is not a REAL security issue, but I think it could be and this seems very "unrails" like. What''s to keep a user from modifying the post hash they send to the server to set ANY attributes they want for an AR object? attr_protected? So I have to write an attr_protected line in my model for EVERY relationship I set up? This seems bad: 1. It''s redundant and not what I would expect in rails. 2. If I forget to attr_protect a foreign key attribute I all of a sudden have a possible security issue. Let''s pretend a User belongs to a user group, has and belongs to many roles, and has many orders. So I need to do the following to make my model secure? attr_protected :user_group_id, :role_ids, :order_ids Am I missing something or am I the only person that thinks something is wrong with this? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
attr_accessible is what I think you want I found out about it at http://railscasts.com/episodes/26 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hey Ben, and remember that if you use the ''attr_accessible'' macro, that all attributes *not* defined will be protected. Adam -- SweetSpot.dm -- Diabetes Wellness for the Family http://www.SweetSpot.dm http://blog.SweetSpot.dm On May 28, 1:36 am, clouder <clouder...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> attr_accessible is what I think you want > I found out about it athttp://railscasts.com/episodes/26--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On May 27, 2008, at 10:36 PM, clouder wrote:> attr_accessible is what I think you want > I found out about it at http://railscasts.com/episodes/26attr_accessible is only a partial solution for a narrow field of cases. Allowed fields in a POST or GET need to be defined on a case by case, for by form basis -- _not_ on a model-wide basis. Allowing field x to be submitted in form A may be ok, but allowing it to be submitted in form B may not. In my own frameworks I have always had a server-side definition in the processing of every specific form of which fields were allowed. That was one of the very first things I found myself writing a little method for in Rails. I have a library of misc Security Utility methods. This is one of them: def SecurityUtilities.distill_params(allowed_inputs, input_params) input_params.delete_if do |input_name, input_value| !(allowed_inputs.include?(input_name.to_sym)) end end Prior to any form process, I first weed out the garbage from params by defining the allowed_inputs: allowed_inputs = [ :userType, :pswd1, :pswd2, :userFirstName, :userLastName, :userEmail, :userHint, :userHosts] which gets passed along with the params to filter unwnted k-v pairs from params. -- def gw writes_at ''www.railsdev.ws'' end --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---