protect_from_forgery doesnt protect from forgery

Frederick_Cheung · June 9, 2009, 9:39pm

Now when I use firebug and inspect the page, I see a neat little field containing the authenticity_token.

But here it comes,

When I edit the page in firebug, and add a field called user_is_admin and set its value to 1, and then submit, the changes actually go through!! I have now made myself and admin.

Isnt protect_from_forgery supposed to protect from this? Obviously in the controller I have kept it simple and did a @user.update_attributes(params[:user]), expecting that the authenticity_token would never allow any params to be posted that I didnt allow through my form.

The forgery protect_from_forgery protects against is cross site request forgery, ie. completely unrelated to the problem you're tackling. You may be interested in attr_protected/attr_accessible.

Fred

fxn · June 11, 2009, 4:13pm

The current solution is a trade-off: it is a simple solution that covers most use cases. Often the account_id of your User model is protected, period. That's what the current design supports.

There was a recent discussion in the core mailing list about possible ways to make this a little more flexible:

http://groups.google.co.uk/group/rubyonrails-core/browse_thread/thread/3b6818496d0d07f1/0d20bb9236fe59af#0d20bb9236fe59af

but no conclusion except for some workarounds to the current solution when you need them.

Topic		Replies	Views
protect_from_forgery :only => [:create, :delete, :update] what does this do exactly? rubyonrails-talk	6	192	October 7, 2008
Protect from forgery for Rest destroy action ??? rubyonrails-talk	0	164	July 19, 2010
disabling forgery protection rubyonrails-talk	1	73	May 8, 2008
cross site scripting security rubyonrails-talk	8	103	March 27, 2009
protect_from_forgery development mode rubyonrails-talk	1	184	October 9, 2009

protect_from_forgery doesnt protect from forgery

Related topics

More Resources