Attrs_accessible

luislavena · February 26, 2011, 3:32pm

I know it’s a good practice setting attr_accesible for models.
As an example if I have a model with admin: boolean attribute and if I
don’t set attr_accessible, a user can do: put /users/17?admin=1 making
user 17 an admin.
But if I have attr_accessible set and I want to create new users with
a html form, how can I set admin true or false?
I have to do an update directly in the database?

msan · February 26, 2011, 4:05pm

On 26 Feb 2011, at 15:31, Mauro wrote:

I know it’s a good practice setting attr_accesible for models.
As an example if I have a model with admin: boolean attribute and if I
don’t set attr_accessible, a user can do: put /users/17?admin=1 making
user 17 an admin.
But if I have attr_accessible set and I want to create new users with
a html form, how can I set admin true or false?
I have to do an update directly in the database?

Indeed, if you protect the admin boolean from mass assignment, it’s up
to you to assign it. You can still use the incoming params to
determine if you need to set it or not, but you’ll probably want to
verify if the user has the permissions to do that.

Best regards

Peter De Berdt

msan · February 26, 2011, 5:45pm

On 26 February 2011 14:31, Mauro [email protected] wrote:

I know it’s a good practice setting attr_accesible for models.
As an example if I have a model with admin: boolean attribute and if I
don’t set attr_accessible, a user can do: put /users/17?admin=1 making
user 17 an admin.
But if I have attr_accessible set and I want to create new users with
a html form, how can I set admin true or false?
I have to do an update directly in the database?

You don’t need a separate operation on the db. In create or update in
the controller, before you call save or update_attributes, then set
the admin attribute if appropriate.

Colin

msan · February 27, 2011, 5:06am

it can be done like this

msan · February 27, 2011, 12:25pm

On 27 February 2011 04:05, radhames brito [email protected] wrote:

it can be done like this
#237 Dynamic attr_accessible - RailsCasts

I’m viewing
http://asciicasts.com/episodes/26-hackers-love-mass-assignment.
It says that an hacker can do curl -d
“user[name]=hacker&user[admin]=1” http://localhost:3000/Users/ and
create an admin user.
Ok, wtih attr_accessible he can’t do that but…if he can’t
create an admin user he always can create a user, not an admin user
but a user.
That is he can insert values in my database.
I can’t use attr_accessible for all my model attributes.

msan · February 27, 2011, 1:49pm

On Feb 27, 11:24am, Mauro [email protected] wrote:

create an admin user he always can create a user, not an admin user
but a user.
That is he can insert values in my database.
I can’t use attr_accessible for all my model attributes.

The hacker can only do that if you make the users/create action
publicly available (ie you don’t do something like require a logged in
user that is an admin).
Very often users/create is publicly available (eg if anyone is allowed
to signup) and so you do need to make sure users can’t sign up as an
admin.

Fred

msan · February 28, 2011, 10:10am

On 28 February 2011 04:01, Bhasker H. [email protected]
wrote:

a html form, how can I set admin true or false?
If it is models then all sorts of validations go in place.
To do exactly what in the model or controller? Presumably the
decision about whether a user is admin or not is made in a controller
action. You can then set @user.admin = true before saving, or you
could call a model method @user.set_admin(true). It is up to you
which you prefer.

Colin

msan · February 28, 2011, 5:03am

On Sat, Feb 26, 2011 at 10:12 PM, Colin L. [email protected]
wrote:

the controller, before you call save or update_attributes, then set
the admin attribute if appropriate.

Colin

Is it good practice to do in the models or in controllers.

If it is models then all sorts of validations go in place.

Regards,