I know it''s a good practice setting attr_accesible for models. As an example if I have a model with admin: boolean attribute and if I don''t set attr_accessible, a user can do: put /users/17?admin=1 making user 17 an admin. But if I have attr_accessible set and I want to create new users with a html form, how can I set admin true or false? I have to do an update directly in the database? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 26 Feb 2011, at 15:31, Mauro wrote:> I know it''s a good practice setting attr_accesible for models. > As an example if I have a model with admin: boolean attribute and if I > don''t set attr_accessible, a user can do: put /users/17?admin=1 making > user 17 an admin. > But if I have attr_accessible set and I want to create new users with > a html form, how can I set admin true or false? > I have to do an update directly in the database?Indeed, if you protect the admin boolean from mass assignment, it''s up to you to assign it. You can still use the incoming params to determine if you need to set it or not, but you''ll probably want to verify if the user has the permissions to do that. Best regards Peter De Berdt -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 26 February 2011 14:31, Mauro <mrsanna1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I know it''s a good practice setting attr_accesible for models. > As an example if I have a model with admin: boolean attribute and if I > don''t set attr_accessible, a user can do: put /users/17?admin=1 making > user 17 an admin. > But if I have attr_accessible set and I want to create new users with > a html form, how can I set admin true or false? > I have to do an update directly in the database?You don''t need a separate operation on the db. In create or update in the controller, before you call save or update_attributes, then set the admin attribute if appropriate. Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
it can be done like this http://railscasts.com/episodes/237-dynamic-attr-accessible -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 27 February 2011 04:05, radhames brito <rbritom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> it can be done like this > http://railscasts.com/episodes/237-dynamic-attr-accessibleI''m viewing http://asciicasts.com/episodes/26-hackers-love-mass-assignment. It says that an hacker can do curl -d "user[name]=hacker&user[admin]=1" http://localhost:3000/Users/ and create an admin user. Ok, wtih attr_accessible he can''t do that but..........if he can''t create an admin user he always can create a user, not an admin user but a user. That is he can insert values in my database. I can''t use attr_accessible for all my model attributes. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Feb 27, 11:24 am, Mauro <mrsan...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On 27 February 2011 04:05, radhames brito <rbri...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > it can be done like this > >http://railscasts.com/episodes/237-dynamic-attr-accessible > > I''m viewinghttp://asciicasts.com/episodes/26-hackers-love-mass-assignment. > It says that an hacker can do curl -d > "user[name]=hacker&user[admin]=1"http://localhost:3000/Users/and > create an admin user. > Ok, wtih attr_accessible he can''t do that but..........if he can''t > create an admin user he always can create a user, not an admin user > but a user. > That is he can insert values in my database. > I can''t use attr_accessible for all my model attributes.The hacker can only do that if you make the users/create action publicly available (ie you don''t do something like require a logged in user that is an admin). Very often users/create is publicly available (eg if anyone is allowed to signup) and so you do need to make sure users can''t sign up as an admin. Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Sat, Feb 26, 2011 at 10:12 PM, Colin Law <clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:> On 26 February 2011 14:31, Mauro <mrsanna1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > I know it''s a good practice setting attr_accesible for models. > > As an example if I have a model with admin: boolean attribute and if I > > don''t set attr_accessible, a user can do: put /users/17?admin=1 making > > user 17 an admin. > > But if I have attr_accessible set and I want to create new users with > > a html form, how can I set admin true or false? > > I have to do an update directly in the database? > > You don''t need a separate operation on the db. In create or update in > the controller, before you call save or update_attributes, then set > the admin attribute if appropriate. > > Colin > > Is it good practice to do in the models or in controllers.If it is models then all sorts of validations go in place. Regards,> -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 28 February 2011 04:01, Bhasker Harihara <harihara.bhasker-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > On Sat, Feb 26, 2011 at 10:12 PM, Colin Law <clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote: >> >> On 26 February 2011 14:31, Mauro <mrsanna1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> > I know it''s a good practice setting attr_accesible for models. >> > As an example if I have a model with admin: boolean attribute and if I >> > don''t set attr_accessible, a user can do: put /users/17?admin=1 making >> > user 17 an admin. >> > But if I have attr_accessible set and I want to create new users with >> > a html form, how can I set admin true or false? >> > I have to do an update directly in the database? >> >> You don''t need a separate operation on the db. In create or update in >> the controller, before you call save or update_attributes, then set >> the admin attribute if appropriate. >> >> Colin >> > Is it good practice to do in the models or in controllers. > > If it is models then all sorts of validations go in place.To do exactly what in the model or controller? Presumably the decision about whether a user is admin or not is made in a controller action. You can then set @user.admin = true before saving, or you could call a model method @user.set_admin(true). It is up to you which you prefer. Colin> > Regards, >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Talk" group. >> To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org >> To unsubscribe from this group, send email to >> rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-talk?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.