ruby on rails params injection
Posted
by Julien P.
on Stack Overflow
See other posts from Stack Overflow
or by Julien P.
Published on 2010-04-16T11:58:23Z
Indexed on
2010/04/16
12:13 UTC
Read the original article
Hit count: 366
Hello everyone, I have a question about ruby on rails and the process of assigning variables using the params variable passed through a form
class User
attr_accessible :available_to_admins, :name
end
Let's say that I have a field that is only available to my admins. Assuming that you are not an admin, I am going to not display the available_to_admins input in your form.
After that, when I want to save your data I'll just do a:
User.update_attributes(params[:user])
If you are an admin, then no problem, the params[:user] is going to contain name and available_tu_admins and if you're not then only your name.
Since the available_to_admins is an attr_accessible parameter, how should I prevent non admin users from being able to inject a variable containing the available_to_admins input with their new value?
© Stack Overflow or respective owner