ruby on rails params injection

Posted by Julien P. on Stack Overflow See other posts from Stack Overflow or by Julien P.
Published on 2010-04-16T11:58:23Z Indexed on 2010/04/16 12:13 UTC
Read the original article Hit count: 343

Filed under:

ruby-on-rails

|

params

|

injection

Hello everyone, I have a question about ruby on rails and the process of assigning variables using the params variable passed through a form

class User
  attr_accessible :available_to_admins, :name
end

Let's say that I have a field that is only available to my admins. Assuming that you are not an admin, I am going to not display the available_to_admins input in your form.

After that, when I want to save your data I'll just do a:

User.update_attributes(params[:user])

If you are an admin, then no problem, the params[:user] is going to contain name and available_tu_admins and if you're not then only your name.

Since the available_to_admins is an attr_accessible parameter, how should I prevent non admin users from being able to inject a variable containing the available_to_admins input with their new value?

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Ruby on Rails - How can I start? [closed]

as seen on Programmers - Search for 'Programmers'
I have misconception in understanding the relationship between Ruby language and Ruby on Rails Framework. Because of 'I am an absolute beginner' in web development I have no idea if I have to grasp the fundamentals of Ruby before I go with Ruby on Rails! I also want to ask who is behind both Ruby… >>> More
DES3 decryption in Ruby on Rails

as seen on Stack Overflow - Search for 'Stack Overflow'
My RoR server receives a string, that was encrypted in C++ application using des3 with base64 encoding The cipher object is created so: cipher = OpenSSL::Cipher::Cipher::new("des3") cipher.key = key_str cipher.iv = iv_str key_str and iv_str: are string representations of key and initialization… >>> More
Ruby on rails: Image downloads with Authentication/Authorization/Time outs

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi Guys, I'm having few doubts on implementing file downloads. I'm creating an app where I use attachment_fu with Amazon s3 to upload files. Things are working pretty well so far on uploading side. Now its the time to start the file downloads. Here is what I need, a logged in user search and browse… >>> More
Ruby on Rails deployment, on "thin" server with lot of attachments

as seen on Stack Overflow - Search for 'Stack Overflow'
A lot of PDFs are stored inside MySQL as a BLOB field for each PDF file. The average file size is 500K each. The Rails app will stream the :binary data as file downloads, where there is a user click on the download link. Assume there is a maximum of 5 users downloading 5 PDFs concurrently, what… >>> More
Apply Behavior Driven Development to Ruby on Rails with Rspec

as seen on Internet.com - Search for 'Internet.com'
Applying the Behavior Driven Development (BDD) methodology to your Rails development takes you beyond traditional Test Driven Development. Learn how to do it with the Ruby-based BDD framework RSpec. >>> More

Related posts about params

Params order in Foo.new(params[:foo]), need one before the other (Rails)

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a problem which I don't know how to fix. It has to do with the unsorted params hash. I have a object Reservation which has a virtual time= attribute and a virtual eating_session= attribute when I set the time= I also want to validate it via an external server request. I do that with help… >>> More
How can I simplify my nested sinatra routes?

as seen on Stack Overflow - Search for 'Stack Overflow'
I require nested subdirectories in my sinatra app, how can I simplify this repetitive code? # ------------- SUB1 -------------- get "/:theme/:sub1/?" do haml :"pages/#{params[:theme]}/#{params[:sub1]}/index" end # ------------- SUB2 -------------- get "/:theme/:sub1/:sub2/?" do haml :"pages/#{params[:theme]}/#{params[:sub1]}/#{params[:sub2]}/index" end #… >>> More
Not able to save extjs combo using grails controller

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi all, I am a newbie to grails/extjs I am developing a web based config tool for my team .My issue is with comboboxes of extjs I have three remote comboxes(many to one hibernate mappng).I am using hiddenName to submit its value field(which is id primay key of database) instead of its display field… >>> More
C/C++: Passing a structure by value, with another structure as one of its members, changes values of

as seen on Stack Overflow - Search for 'Stack Overflow'
Sorry for the confusing title, but it basically says it all. Here's the structures I'm using (found in OpenCV) : struct CV_EXPORTS CvRTParams : public CvDTreeParams { bool calc_var_importance; int nactive_vars; CvTermCriteria term_crit; CvRTParams() : CvDTreeParams( 5, 10, 0, false… >>> More
Add params to given URL in Python

as seen on Stack Overflow - Search for 'Stack Overflow'
Suppose I was given by some URL. Is might already have GET parameters (e.g. http://stackoverflow.com/search?q=question) or not (e.g. http://stackoverflow.com/). And now I need to add some parameters to it like {'lang':'en','tag':'python'} so in first case I'll have http://stackoverflow.com/search… >>> More