attr_accessible/security question with rails - what is the best way to deal with this?

Question

I have a question concerning Rails security. Let's say we have User model, and it has many boolean values for roles, such as admin, director, and so on.

An Admin will definitely want to edit these values on forms, so we'll want to use attr_accessible to let the admin user do this.

Of course, other uses will be able to edit their User model as well - either editing their profile, or when they invite/add new users to the system themselves. In the case of director's, we actually want them to set roles that are "lesser" than director, but we don't want him to be able to set director or admin

Since we expose these controllers that modify users, wouldn't attr_accessible allow director and admin to be set in this case? This sounds like a very big security hole.

So what is the best way to restrict access?

1. Set each parameter, one at a time?

2. Set admin = false and director = false on the create/update actions? The simplest solution, but kind of nasty to have this in the controller.

3. Use an if statement to see if that user role can edit those attributes and allow it?

4. Use rails callbacks?, such as before_validation or before_save?

5. Some other declarative solution?

Thanks

Answer 1

The upcoming release of Rails 3.1 (there is a release candidate out at the moment) has a new option to attr_accessible that will allow you to define a role that can override it at the controller level by passing without_protection => true.

You can read more about it here: http://www.enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1

And the section about attr_accessible in the rails security guide here: http://edgeguides.rubyonrails.org/security.html#countermeasures

Answer 2

One of these may be of help:

https://github.com/dmitry/attr_accessible_block

https://github.com/thefrontiergroup/scoped_attr_accessible

... allowing you to use role based conditions to determine what attributes can be set.