I know this is not a REAL security issue, but I think it could be and
this seems very "unrails" like. What's to keep a user from modifying the
post hash they send to the server to set ANY attributes they want for an
AR object? attr_protected? So I have to write an attr_protected line in
my model for EVERY relationship I set up? This seems bad:
1. It's redundant and not what I would expect in rails.
2. If I forget to attr_protect a foreign key attribute I all of a sudden
have a possible security issue.
Let's pretend a User belongs to a user group, has and belongs to many
roles, and has many orders. So I need to do the following to make my
attr_protected :user_group_id, :role_ids, :order_ids
Am I missing something or am I the only person that thinks something is
wrong with this?
attr_accessible is what I think you want
I found out about it at http://railscasts.com/episodes/26
and remember that if you use the 'attr_accessible' macro, that all
attributes *not* defined will be protected.
attr_accessible is only a partial solution for a narrow field of cases. Allowed fields in a POST or GET need to be defined on a case by case, for by form basis -- _not_ on a model-wide basis.
Allowing field x to be submitted in form A may be ok, but allowing it to be submitted in form B may not.
In my own frameworks I have always had a server-side definition in the processing of every specific form of which fields were allowed. That was one of the very first things I found myself writing a little method for in Rails. I have a library of misc Security Utility methods. This is one of them:
def SecurityUtilities.distill_params(allowed_inputs, input_params)
input_params.delete_if do |input_name, input_value|
Prior to any form process, I first weed out the garbage from params by defining the allowed_inputs:
allowed_inputs = [
:userType, :pswd1, :pswd2,
:userEmail, :userHint, :userHosts]
which gets passed along with the params to filter unwnted k-v pairs from params.