Rails - Apr 2012 - Avoiding a mass assignment security flaw while assigning user roles

I have User, Account, and Role models. Role stores the relationship type 
between Account and User.

I know that *attr_accessible* should be blank in the Role model to prevent 
attackers from changing either the role type (owner, 
admin, moderator, subscriber), account, or user ids.

But what if an admin wants to change a subscriber to a moderator? This 
would raise a mass assignment security exception:

user = User.find(params[:id])
role = user.roles.find_by_account_id(params[:account_id])
role.type = "admin"

How do I solve this? One way is to create a separate model to represent 
each role (owner, admin, moderator, subscriber) and use an STI type 
pattern. This lets me do:

user = User.find(params[:id])
user.moderatorship.build(account_id: params([:account_id])

Tedious! I would have to create Onwership, Moderatorship, Subscribership, 
etc..., and have them inherit from Role. If I want to stick to a single 
Role model, how can I modify a role type without a having a mass assignment 
security flaw?

Also, I would appreciate an answer to this: Should I use a User has_many 
roles (user can have a single record for each role type) or has_one role 
(user can only have one role record, which must be toggled if their role 
changes) pattern?

Models:

class User < ActiveRecord::Base
  attr_accessible :name, :email

  has_many :accounts, through: roles
end

class Account < ActiveRecord::Base
  attr_accessible :title

  belongs_to :user
end

class Role < ActiveRecord::Base
  attr_accessible
end

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/sEc1RkV7VisJ.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

After doing my own research, it looks like I can approach this two ways:

1. Episode 237, Railscasts, Dynamic att_accessible, overriding 
mass_assignment_authorizer
2. I can use attr_accessible role, as: :admin

I would appreciate it if anyone can elaborate on the merits of either 
approach.


On Sunday, April 29, 2012 4:48:12 PM UTC-4, Mohamad El-Husseini
wrote:
>
> I have User, Account, and Role models. Role stores the relationship type 
> between Account and User.
>
> I know that *attr_accessible* should be blank in the Role model to 
> prevent attackers from changing either the role type (owner, 
> admin, moderator, subscriber), account, or user ids.
>
> But what if an admin wants to change a subscriber to a moderator? This 
> would raise a mass assignment security exception:
>
> user = User.find(params[:id])
> role = user.roles.find_by_account_id(params[:account_id])
> role.type = "admin"
>
> How do I solve this? One way is to create a separate model to represent 
> each role (owner, admin, moderator, subscriber) and use an STI type 
> pattern. This lets me do:
>
> user = User.find(params[:id])
> user.moderatorship.build(account_id: params([:account_id])
>
> Tedious! I would have to create Onwership, Moderatorship, Subscribership, 
> etc..., and have them inherit from Role. If I want to stick to a single 
> Role model, how can I modify a role type without a having a mass assignment
> security flaw?
>
> Also, I would appreciate an answer to this: Should I use a User has_many 
> roles (user can have a single record for each role type) or has_one role 
> (user can only have one role record, which must be toggled if their role 
> changes) pattern?
>
> Models:
>
> class User < ActiveRecord::Base
>   attr_accessible :name, :email
>
>   has_many :accounts, through: roles
> end
>
> class Account < ActiveRecord::Base
>   attr_accessible :title
>
>   belongs_to :user
> end
>
> class Role < ActiveRecord::Base
>   attr_accessible
> end
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/lP97z64Gr8oJ.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Apr 29, 9:48 pm, Mohamad El-Husseini
<husseini....-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I have User, Account, and Role models. Role stores the relationship type
> between Account and User.
>
> I know that *attr_accessible* should be blank in the Role model to prevent
> attackers from changing either the role type (owner,
> admin, moderator, subscriber), account, or user ids.
>
> But what if an admin wants to change a subscriber to a moderator? This
> would raise a mass assignment security exception:
>
> user = User.find(params[:id])
> role = user.roles.find_by_account_id(params[:account_id])
> role.type = "admin"
No it wouldn''t. You can always to foo.bar = ''baz'',
whether or not the
bar attribute is accessible or not. What attr_accessible controls is
what would happen if you did

role.update_attributes(params[:role])

Fred

>
> How do I solve this? One way is to create a separate model to represent
> each role (owner, admin, moderator, subscriber) and use an STI type
> pattern. This lets me do:
>
> user = User.find(params[:id])
> user.moderatorship.build(account_id: params([:account_id])
>
> Tedious! I would have to create Onwership, Moderatorship, Subscribership,
> etc..., and have them inherit from Role. If I want to stick to a single
> Role model, how can I modify a role type without a having a mass assignment
> security flaw?
>
> Also, I would appreciate an answer to this: Should I use a User has_many
> roles (user can have a single record for each role type) or has_one role
> (user can only have one role record, which must be toggled if their role
> changes) pattern?
>
> Models:
>
> class User < ActiveRecord::Base
>   attr_accessible :name, :email
>
>   has_many :accounts, through: roles
> end
>
> class Account < ActiveRecord::Base
>   attr_accessible :title
>
>   belongs_to :user
> end
>
> class Role < ActiveRecord::Base
>   attr_accessible
> end
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.