field security best practice

11175 · July 30, 2008, 11:20am

Suppose i have a model (userprofile) which may be altered by users and admins, only 1 field (roll) may only be altered by admins.

of course i can exclude that field from the view if the users is not an admin, but i suspect this is not very safe because one could fake this form.

so the only thing i can think of is taking measures in the controller as well. which is not too handy because it is a long form and i use the update_atrributes method.

what i dit is to not include this field in params[:userprofile][:roll] but in params[:roll] by using text_field_tag instead of tex_field.

now i can update all my fields with @userprofile.update_params(params[:userprofile]) and update the roll field by @userprofiel.roll=params[:roll] if current_user.roll=="admin"

what is dislike is that i have to take measures at two places (view and controller) which is not very DRY. Are there better ways? perhaps in the model?

Regards,

Remco

Thorsten_Muller2 · July 30, 2008, 11:46am

You're right, that way it's not secure. Even if you fake around with the form, how would you know, that the data that reachs your server was generated using this form? Users can throw everything at your server, using simple command line tools.

Use attr_protected instead: http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M001315

Then you get exactly the behaviour you want, the attribute can't be set with update_attributes, but must be set manually with update_attribute (or similar methods)

Topic		Replies	Views
Form Data Injection - How to protect against? rubyonrails-talk	5	136	October 4, 2006
How would you suggest ADMIN update non-attr_accessible fields? rubyonrails-talk	6	96	June 2, 2008
Rails security issue rubyonrails-talk	3	103	May 29, 2008
help with some ugly code: refactoring rubyonrails-talk	3	265	January 5, 2012
Protecting fields from being changed rubyonrails-talk	6	153	October 14, 2007

field security best practice

Related topics

More Resources