0

Ever since I learned about the security holes with attr_accessible, I have been trying to be very careful when it comes to this type of stuff, so I just need some clarification.

Let's say I have a Comment model and it has 

attr_accessible :user_id

In my form I do 

= f.hidden_field :user_id, :value => @current_user.id

so I am not taking the value from the params, but rather the current user's actual ID.

My concern is not with my own forms, however, but with rogue requests. For example, what if someone were to send a post request as follows:

POST comments?user_id=5

when their user_id is actually 1. Would they be able to post on behalf of someone else?

Thank you.

chosen2
  • 15
  • 3
  • 1
    actually i wouldn't send the current_user.id at all through a hidden field or a form. You also can access the current_user inside your controller, thats what i prefer. – Flo Jul 23 '13 at 12:57

1 Answers1

0

Yeah, you're absolutely right. I think I just realized the answer. Basically when an attribute is not attr_accessible, you want to set it inside your controller directly, which makes it impossible for it to be set with a rogue request like I mentioned above. Also, if your controller is setting a variable directly from params, that's when you know something is wrong and that that variable is basically attr_accessible.

Thanks Flo

chosen2
  • 15
  • 3