Reputation: 397
preventing active record attributes from being modified by forms
In Ruby on Rails, it's very easy to update a model from an HTML form. Usually you can just create a form_for with the model, and the fields in there will be updated when the user hits the submit button.
Say though that a malicious user wants to update their 'salary' without going through the proper channels. couldn't they just inject a field by the name of 'salary' when updating their email address (for example) and set their pay to basically be whatever they want? how do i specify which fields can be modified and which can't to prevent this?
Seeing things like
@user.update_attributes(params[:user])
seems scary. They could update anything. I understand the use of attr_accessible, but that's only relevant for mass updates, isn't it?
Upvotes: 0
Views: 120
Answers (1)
Reputation: 11444
You can restrict what fields can be mass assigned using:
attr_accessible :name, :address # no :salary
Upvotes: 2
Related Questions
- Modify ActiveRecord attribute only for saving
- Prevent update to an attribute?
- Rails - how to protect an attribute against updating from outside of the model
- Preventing attributes update in model
- Best Ways to prevent change of active record id
- How to disable tracking of changed attributes in model in active_record
- Rails ActiveRecord conditionally protect an attribute from modification
- Validate that no attributes can be changed
- How can I only allow updating of nil attributes for a Rails ActiveRecord object?
- Protect attributes to be updated