I know this is not a REAL security issue, but I think it could be and
this seems very "unrails" like. What's to keep a user from modifying the
post hash they send to the server to set ANY attributes they want for an
AR object? attr_protected? So I have to write an attr_protected line in
my model for EVERY relationship I set up? This seems bad:
1. It's redundant and not what I would expect in rails.
2. If I forget to attr_protect a foreign key attribute I all of a sudden
have a possible security issue.
Let's pretend a User belongs to a user group, has and belongs to many
roles, and has many orders. So I need to do the following to make my
model secure?
attr_accessible is only a partial solution for a narrow field of cases. Allowed fields in a POST or GET need to be defined on a case by case, for by form basis -- _not_ on a model-wide basis.
Allowing field x to be submitted in form A may be ok, but allowing it to be submitted in form B may not.
In my own frameworks I have always had a server-side definition in the processing of every specific form of which fields were allowed. That was one of the very first things I found myself writing a little method for in Rails. I have a library of misc Security Utility methods. This is one of them:
def SecurityUtilities.distill_params(allowed_inputs, input_params)
input_params.delete_if do |input_name, input_value|
!(allowed_inputs.include?(input_name.to_sym))
end
end
Prior to any form process, I first weed out the garbage from params by defining the allowed_inputs: