Forum: Ruby on Rails Date Integrity and Form Security

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
E777616c90c6433717d100eb16449981?d=identicon&s=25 kwerle@pobox.com (Guest)
on 2007-03-29 22:59
(Received via mailing list)
I'm new to rails, and am used to technology that takes care of the
following issue for you:

When using forms in rails, all your data paths lay exposed to the
user.  It's easy for them to hack the HTML so that when they POST/GET,
they set data for columns that you didn't mean for them to update.
attr_protected is a somewhat reasonable solution, but it means that
you have to be careful about what you do and do not protect.  Then you
have to deal with the columns you decided to protect individually -
repeatedly!  Speaking of wet - ugh.

If that were the only problem, I could probably live with it.  But in
addition to that, you're also exposing id's so that you can reference
specific rows.  A mischievous user could modify rows that they should
not - unless I check every reference to make sure they're not.  Again,
trouble that I don't want to deal with.

Has anyone modified or written an alternative to the form helpers that
would take care of this for me?  Seems like all it would take is a big
hash of magic keys to swap in/out for the normal values.  I imagine
instead of
<input ... name="model[attribute]" ...
or even worse
<input ... name="model_rownum_attribute" ...
you would get
<input ... name="my_magic_hash" ...

Then when the rails app received the next request, the "my_magic_hash"
would be replaced with the the regular string.

I know I'm not the first person to want something like this - has
anyone done a rails solution?

TIA,
Kurt
This topic is locked and can not be replied to.