attr_accessible :email, :password, :password_confirmation
If not, can you please give example of method which prevents 'undefined' error when attr_accessible is removed.
Asked
Active
Viewed 341 times
2
Joe Half Face
- 2,303
- 1
- 17
- 45
-
why would you need to get password, ever? – ant Apr 12 '13 at 21:18
-
? because when user authenticates, from controller I check if input equal password in DB – Joe Half Face Apr 12 '13 at 21:58
2 Answers
2
If you are security paranoid, you could do this is defining the method password:
def password
self.password
end
this way the password can't be set by hand.
But you shouldn’t worry about it because many login gems like devise needs password in attr_accessible.
fotanus
- 19,618
- 13
- 77
- 111
-
ha) thanks. I'm not paranoid, but as I just don't know how hacking works, I can't tell how such issues reflects on security. I just knew it is somehow connected with security) – Joe Half Face Apr 12 '13 at 23:31
2
It is safe. Attr_accessible is only dangerous for attributes that control your application logic. For example, if you have a flag that says "yes I've checked this user is an admin", and it can be set by the user instead, because it's attr_accessible, then it's a vulnerability.
Since the password is a piece of information that is provided by the user anyway, making it settable by the same user does not change anything.
Vitaly Osipov
- 1,036
- 6
- 14