I know it's a good practice setting attr_accesible for models. As an example if I have a model with admin: boolean attribute and if I don't set attr_accessible, a user can do: put /users/17?admin=1 making user 17 an admin. But if I have attr_accessible set and I want to create new users with a html form, how can I set admin true or false? I have to do an update directly in the database?
Indeed, if you protect the admin boolean from mass assignment, it’s up to you to assign it. You can still use the incoming params to determine if you need to set it or not, but you’ll probably want to verify if the user has the permissions to do that.
Best regards
Peter De Berdt
You don't need a separate operation on the db. In create or update in the controller, before you call save or update_attributes, then set the admin attribute if appropriate.
Colin
I'm viewing http://asciicasts.com/episodes/26-hackers-love-mass-assignment. It says that an hacker can do curl -d "user[name]=hacker&user[admin]=1" http://localhost:3000/Users/ and create an admin user. Ok, wtih attr_accessible he can't do that but..........if he can't create an admin user he always can create a user, not an admin user but a user. That is he can insert values in my database. I can't use attr_accessible for all my model attributes.
The hacker can only do that if you make the users/create action publicly available (ie you don't do something like require a logged in user that is an admin). Very often users/create is publicly available (eg if anyone is allowed to signup) and so you do need to make sure users can't sign up as an admin.
Fred
I know it’s a good practice setting attr_accesible for models.
As an example if I have a model with admin: boolean attribute and if I
don’t set attr_accessible, a user can do: put /users/17?admin=1 making
user 17 an admin.
But if I have attr_accessible set and I want to create new users with
a html form, how can I set admin true or false?
I have to do an update directly in the database?
You don’t need a separate operation on the db. In create or update in
the controller, before you call save or update_attributes, then set
the admin attribute if appropriate.
Colin
Is it good practice to do in the models or in controllers.
If it is models then all sorts of validations go in place.
Regards,
> I know it's a good practice setting attr_accesible for models. > As an example if I have a model with admin: boolean attribute and if I > don't set attr_accessible, a user can do: put /users/17?admin=1 making > user 17 an admin. > But if I have attr_accessible set and I want to create new users with > a html form, how can I set admin true or false? > I have to do an update directly in the database?
You don't need a separate operation on the db. In create or update in the controller, before you call save or update_attributes, then set the admin attribute if appropriate.
Colin
Is it good practice to do in the models or in controllers.
If it is models then all sorts of validations go in place.
To do exactly what in the model or controller? Presumably the decision about whether a user is admin or not is made in a controller action. You can then set @user.admin = true before saving, or you could call a model method @user.set_admin(true). It is up to you which you prefer.
Colin
