Stack Overflow
Stack Overflow

Questions tagged [mass-assignment]

A feature of server-side web framework such as Ruby on Rails, in which all the parameters of an HTTP request are assigned to variables. Mass assignment security provides an interface for protecting attributes from end-user assignment.

Mass assignment is both a convenient feature and a major security concern for server-side code in web applications. If not secured properly, it can allow an attacker to set parameters that should not be controlled from the client.

External links

321 questions
8
votes
2 answers

Can't mass-assign protected attributes for creating a has_many nested model with Devise

I've watched the RailsCast, another nested attributes video, lots of SO posts, and fought with this for a while, but I still can't figure it out. I hope it's something tiny. I have two models, User (created by Devise), and Locker (aka, a product…
Kyle Carlson
  • 7,967
  • 5
  • 35
  • 43
8
votes
2 answers

Does CakePHP automatically deal with mass assignment vulnerabilities when saving modified data?

Edit: After receiving more information from DCoder, the phrase I was searching for here is a "mass assignment vulnerability." That is to say, taking advantage of the convenience of methods that would save all valid fields to the database,…
xtraorange
  • 1,456
  • 1
  • 16
  • 37
7
votes
4 answers

How to fix Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) in java

I have a Controller class with the below two methods for finding a doctors (context changed). Getting the Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) error on both methods. @Controller @RequestMapping(value =…
dildeepak
  • 1,349
  • 2
  • 16
  • 34
7
votes
1 answer

How to take a subset of an object using an interface?

Suppose I have this class and interface class User { name: string; age: number; isAdmin: boolean; } interface IUser { name: string; age: number; } And then I get this json object from somewhere const data = { name: "John", …
Bosak
  • 2,103
  • 4
  • 24
  • 43
6
votes
4 answers

How does this stop mass assignment?

I wanted to start using attr_accessible with my models to stop the problem with mass assignment. I understand how it works and have researched as much as I could. What I don't understand is the difference between using…
dsmorey
  • 453
  • 1
  • 5
  • 16
6
votes
2 answers

Scala bug or feature? Multiple assignment error with capital letter variables

Let's say function r returns tuple of five values. scala> def r = (1,2,3,4,5) r: (Int, Int, Int, Int, Int) When I assign the returned value from r, I got error with capital letter variable. scala> val (a,b,c,d,E) = r :13: error: not…
prosseek
  • 182,215
  • 215
  • 566
  • 871
6
votes
4 answers

Should we use strong params when we update only one attribute?

I'm working on a Rails app and I have several actions( #delete_later, #ban_later and so on) where I only set one attribute from the request parameter( specifically, a reason field for doing that action). I was wondering if it is ok to do it like…
Dmitri
  • 199
  • 8
6
votes
1 answer

Rails_admin mass assignment error with Rails 4

I just updated to Rails 4 and rails_admin is now giving me this when I try to edit anything and then hit save: Can't mass-assign protected attributes for Opportunity: created_by_id, contact_information, sent_expiring_email From what I read here it…
user3579987
  • 73
  • 4
6
votes
3 answers

How to assign categories for products in magento Programmatically

I am a newbie in magento. Basically, I want to assign multiple products to multiple categories. I have followed this post and I have done the following code which is working fine: $collection =…
Faran Khan
  • 1,495
  • 4
  • 14
  • 26
6
votes
1 answer

Please use new recommended protection model for params(strong_parameters) or add `protected_attributes` to your gemfile

This happened when I added an attr_accessible to my Relationship model. class Relationship < ActiveRecord::Base attr_accessible :followed_id end Without using Devise or a protected_attributes gem, what is the way around this? I know that in…
natecraft1
  • 2,737
  • 9
  • 36
  • 56
6
votes
1 answer

ActiveAdmin: Can't mass-assign protected attributes: email, password, password_confirmation

I am having a Rails with ActiveAdmin with Devise for Authentication. I have AdminUser and User models so that User model doesn't have to care about admin. However, I cannot create/edit neither Adminuser nor User FROM INSIDE the Admin page. Every…
u19964
  • 3,255
  • 4
  • 21
  • 28
6
votes
2 answers

Can't mass-assign protected attributes: profiles,

I read lot of related posts but can't find why it's not working for me. I still have a "can't mass-assign protected attributes: profiles"... What am I doing wrong ? I have a User model and a related Profile model with a one-to-one relationship. Here…
phron
  • 1,795
  • 17
  • 23
6
votes
1 answer

Using accepts_nested_attributes_for + mass assignment protection in Rails

Say you have this structure: class House < ActiveRecord::Base has_many :rooms accepts_nested_attributes_for :rooms attr_accessible :rooms_attributes end class Room < ActiveRecord::Base has_one :tv accepts_nested_attributes_for :tv …
Max Chernyak
  • 37,015
  • 6
  • 38
  • 43
5
votes
2 answers

Mongoid: How to prevent undefined fields from being created by mass assignment?

Here's the code: class M include Mongoid::Document field :name end params = { name: "foo", age: 20 } M.create(params) #=> # Notice that age wasn't defined, yet it was saved. This is problematic (potentially a source…
kenn
  • 3,303
  • 2
  • 29
  • 42
5
votes
3 answers

RoR permitting non model parameter

I'm having a hard time trying to understand how to permit non model parameters. I've read: Rails Strong Parameters: How to accept both model and non-model attributes? Rails 4 Strong parameters : permit all attributes? Strong Parameters So, for a…
Vucko
  • 20,555
  • 10
  • 56
  • 107
1
2
3
21 22