Reputation: 5131
question on mass assignment and related security risk
I have a question on a solution I think is secure, but would like a second opinion:
In our application we have a user model, which has a 'roles' attribute. Normally, i'd not have this attribute mass-assignable, as users have the possibility to update their own information and could manipulate the post hash to include 'roles'.
In this particular case however, we are working with a rails engine that would require a lot of tinkering (which we would rather avoid) unless we leave the attribute mass-assignable.
Now, our solution is the following: In the user#update action in the controller we simply strip the roles attribute from the params hash before it gets updated:
params[:user].delete(:roles)
Although I understand this is not an ideal solution, is it secure?
Thanks for your expertise,
Erwin
Upvotes: 0
Views: 131
Answers (1)
Reputation: 115541
Your solution works but is not that ideal.
I think this screencast is at the state of the art:
http://railscasts.com/episodes/237-dynamic-attr-accessible
Upvotes: 1
Related Questions
- Mass Assignment Vulnerability
- What is the secure solution for correcting mass assignment vulnerabilities in Rails 3?
- Is this vulnerable to mass assignment?
- Is there a way to bypass mass assignment protection?
- Mass Assignment Rails 4
- Is this a safe way to mass assign through the controller?
- How to handle mass assignment in this case
- Rails security: Avoiding mass-assignment altogether
- rails: mass-assignment security concern with belongs_to relationships
- What's mass assignment in Rails and does it need a special name?