ruby on rails params injection

Posted by Julien P. on Stack Overflow See other posts from Stack Overflow or by Julien P.
Published on 2010-04-16T11:58:23Z Indexed on 2010/04/16 12:13 UTC
Read the original article Hit count: 366

Filed under:
|
|

Hello everyone, I have a question about ruby on rails and the process of assigning variables using the params variable passed through a form

class User
  attr_accessible :available_to_admins, :name
end

Let's say that I have a field that is only available to my admins. Assuming that you are not an admin, I am going to not display the available_to_admins input in your form.

After that, when I want to save your data I'll just do a:

User.update_attributes(params[:user])

If you are an admin, then no problem, the params[:user] is going to contain name and available_tu_admins and if you're not then only your name.

Since the available_to_admins is an attr_accessible parameter, how should I prevent non admin users from being able to inject a variable containing the available_to_admins input with their new value?

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about params