LearningRoR
Reputation: 27222
Is this a safe way to mass assign through the controller?
I decided to take a different approach to mass assigning for security reasons and wanted to know if this is a safe way to do it inside of the controller?
QuestionsController
def new
@survey = Survey.find(params[:survey_id])
@question = Question.new
end
def create
@survey = Survey.find(params[:survey_id])
@question = @survey.questions.new
@question.title = params[:question][:title]
@question.description = params[:question][:description]
if @question.save
redirect_to new_survey_question_path
else
render :new
end
end
Can they change the survey_id or any other column of the question? Is their a better approach besides using attr_accessible?
Upvotes: 1
Views: 60
Answers (3)
Alex Blakemore
Reputation: 11921
With Ruby 1.9, you can use the select method to slightly simplify iwiznia's solution.
enabled_attributes = [:title, :description]
@question = @survey.questions.new(params[:question].
select {|k, v| enabled_attributes.include?(k)})
Upvotes: 1
Victor Moroz
Reputation: 9225
@question.title, @question.description =
params[:question].values_at(:title, :description)
Upvotes: 2
iwiznia
Reputation: 1679
Ok, you could do something like..
enabled_attributes = [:title, :description]
params[:question].delete_if {|k, v| !enabled_attributes.include?(k) }
@question = @survey.questions.new(params[:question])
This deletes from the params[:question] hash all the attributes that aren't in the enabled array.
Upvotes: 2
Related Questions
- Mass Assignment Vulnerability
- Is this vulnerable to mass assignment?
- Ruby on Rails: Mass-Assignment on iteration in loop?
- Is there a way to bypass mass assignment protection?
- Rails Mass Assignment--how to go about this
- Mass Assignment Rails 4
- Is there a way to do this in Rails without mass assignment?
- Mass assignment in rails3.1
- How to handle mass assignment in this case
- question on mass assignment and related security risk