@foo = Bar.new(params[:foo])

While doing @foo = Bar.new(params[:foo]) in a controller, the
application is open to injection attacks.

For example,
My model has following attributes :
name
password
admin - boolean

Now, if on my form I’m just acception name & password, and doing @foo
= Bar.new(params[:foo]) in my controller, someone can just enter
following in form :

<%= text_field ‘foo’, ‘admin’ %> and set to it to true, and post it to
my controller.

Right now, for such attributes, I’m doing the following :
@foo = Bar.new(params[:foo])
@foo.admin = false

But I’m sure there are better conventions to overcome this problem.
Please let me know how do you handle this problem ?

Regards,
Pratik

While doing @foo = Bar.new(params[:foo]) in a controller, the
application is open to injection attacks.
I wouldn’t say this ‘injection’ in the traditional sense of the term.
This is more about application design. As the admin switch is really
important, protect it in the model:

attr_protected :admin

Then provide methods to grant and revoke admin status:

def grant_admin
admin = 1
end

def revoke_admin
admin = 0
end

Hope that helps,

Steve

attr_protected

-Jonathan.

Awesome.

Thanks a lot.

-Pratik