stackoom
  简体   繁体   中英

Rails and attr_accessible + security

 原文  2012-11-22 13:50:21       ruby-on-rails

Question

I'm not sure i completely understand security and the attr_accessible. Why are any attributes considered safe for mass assignment? One thing is being able to set an Admin attribute to true, or something like that. But why is it considered safe to eg make a users email accessible? Isn't it, potentially, just as bad?

1 answers

solution1
 0 ACCPTED  2012-11-22 13:55:38

Well this is a long winded debate, and perhaps this question belongs on https://security.stackexchange.com/ but regardless...

The simple rule of thumb to follow is:

Any parameter you are willing to accept from a user input directly and save it to the data base can be made attr_accessible .

Any parameter which the user should not be able to change via a form post, like email or is_admin, etc should not be.

If you have attributes which need to be conditionally validated or allowed, like only admin can set something, even then they should not be listed in the attr_accessible list.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question attr_accessible for Rails 4 attr_accessible in rails 4 Rails updating attribute security: use a callback or attr_accessible? attr_accessible in Ruby on Rails 3 and its security implications attr_accessible/security question with rails - what is the best way to deal with this? Rails security attr_accessible users making unauthorized requests Rails 4 - mailboxer attr_accessible Dynamic attr_accessible in rails Ruby on rails 4 attr_accessible Upgrading attr_accessible from Rails 3 to Rails 4
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM