attrs_accessible.

I know it's a good practice setting attr_accesible for models.
As an example if I have a model with admin: boolean attribute and if I
don't set attr_accessible, a user can do: put /users/17?admin=1 making
user 17 an admin.
But if I have attr_accessible set and I want to create new users with
a html form, how can I set admin true or false?
I have to do an update directly in the database?

Indeed, if you protect the admin boolean from mass assignment, it’s up to you to assign it. You can still use the incoming params to determine if you need to set it or not, but you’ll probably want to verify if the user has the permissions to do that.

Best regards

Peter De Berdt

You don't need a separate operation on the db. In create or update in
the controller, before you call save or update_attributes, then set
the admin attribute if appropriate.

Colin

it can be done like this

http://railscasts.com/episodes/237-dynamic-attr-accessible

I'm viewing http://asciicasts.com/episodes/26-hackers-love-mass-assignment.
It says that an hacker can do curl -d
"user[name]=hacker&user[admin]=1" http://localhost:3000/Users/ and
create an admin user.
Ok, wtih attr_accessible he can't do that but..........if he can't
create an admin user he always can create a user, not an admin user
but a user.
That is he can insert values in my database.
I can't use attr_accessible for all my model attributes.

The hacker can only do that if you make the users/create action
publicly available (ie you don't do something like require a logged in
user that is an admin).
Very often users/create is publicly available (eg if anyone is allowed
to signup) and so you do need to make sure users can't sign up as an
admin.

Fred

I know it’s a good practice setting attr_accesible for models.

As an example if I have a model with admin: boolean attribute and if I

don’t set attr_accessible, a user can do: put /users/17?admin=1 making

user 17 an admin.

But if I have attr_accessible set and I want to create new users with

a html form, how can I set admin true or false?

I have to do an update directly in the database?

You don’t need a separate operation on the db. In create or update in

the controller, before you call save or update_attributes, then set

the admin attribute if appropriate.

Colin

Is it good practice to do in the models or in controllers.

If it is models then all sorts of validations go in place.

Regards,

> I know it's a good practice setting attr_accesible for models.
> As an example if I have a model with admin: boolean attribute and if I
> don't set attr_accessible, a user can do: put /users/17?admin=1 making
> user 17 an admin.
> But if I have attr_accessible set and I want to create new users with
> a html form, how can I set admin true or false?
> I have to do an update directly in the database?

You don't need a separate operation on the db. In create or update in
the controller, before you call save or update_attributes, then set
the admin attribute if appropriate.

Colin

Is it good practice to do in the models or in controllers.

If it is models then all sorts of validations go in place.

To do exactly what in the model or controller? Presumably the
decision about whether a user is admin or not is made in a controller
action. You can then set @user.admin = true before saving, or you
could call a model method @user.set_admin(true). It is up to you
which you prefer.

Colin