[Rails] Re: attrs_accessible.

On Feb 27, 11:24 am, Mauro <mrsan...@gmail.com> wrote:
> On 27 February 2011 04:05, radhames brito <rbri...@gmail.com> wrote:
>
> > it can be done like this
> >http://railscasts.com/episodes/237-dynamic-attr-accessible
>
> I'm viewinghttp://asciicasts.com/episodes/26-hackers-love-mass-assignment.
> It says that an hacker can do curl -d
> "user[name]=hacker&user[admin]=1"http://localhost:3000/Users/and
> create an admin user.
> Ok, wtih attr_accessible he can't do that but..........if he can't
> create an admin user he always can create a user, not an admin user
> but a user.
> That is he can insert values in my database.
> I can't use attr_accessible for all my model attributes.

The hacker can only do that if you make the users/create action
publicly available (ie you don't do something like require a logged in
user that is an admin).
Very often users/create is publicly available (eg if anyone is allowed
to signup) and so you do need to make sure users can't sign up as an
admin.

Fred

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.