Mass assignment exploit for HABTM checkboxes in Ruby On Rails

Question

I am using HABTM checkboxes as described here:

http://railscasts.com/episodes/17-habtm-checkboxes

Problem is not all categories are available for a project, but using this method a user can inspect the code in their browser, and change the category ids before submitting.

How can I prevent this exploit? the only option I see is to brute force loop through all category ids while comparing them to a list of valid category ids, and reject those that don't match.

Thanks

score 1 · Accepted Answer · answered Nov 11 '13 at 16:01

I would suggest adding a validation to your Project model. It should check that the categories assigned to the project are available to be assigned to that project. Then the controller can show a validation error to the user.

class Project < ActiveRecord::Base
  validates :categories_are_available

  private

  def categories_are_available
    # code that checks available categories
  end
end

Mass assignment exploit for HABTM checkboxes in Ruby On Rails

1 Answers1