Frederick Cheung wrote: >> the controller I have kept it simple and did a >> @user.update_attributes(params[:user]), expecting that the >> authenticity_token would never allow any params to be posted that I >> didnt allow through my form. > > The forgery protect_from_forgery protects against is cross site > request forgery, ie. completely unrelated to the problem you're > tackling. You may be interested in attr_protected/attr_accessible. > > Fred
Alright that makes sense. I might have misunderstood the PFF function. But I still feel this is a grossly underestimated security hole. It doesn't seem very ruby-esque to shield the 'forbidden' attributes with attr_accessors. Since on one form you might be allowed to change it, yet on a different one you wont have that field supplied. You obviously dont want to hard code your data entry restrictions on controller level. That violates the DRY principle. When I change the form to allow someone to edit an extra field, I also have to 'open up' this field in the controller. The form fields I specify in the form are the only fields the user is allowed to change on that particular entry point. How can I enforce that no extra fields are introduced? I am thinking about an idea very similar to the authenticity token from protect_from_forgery. Create a hash based on all the fields in a form and some serverside secret. Whenever the post params come in I know which fields are posted so I can recreate this hash and compare. Has this been done before? Or would I have to build this into a plugin from scratch? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
