Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails attr_accessible :object vs :object_id

Tags:

security

ruby-on-rails

A User has_one Account. When setting up attr_accessible on the User model is it better to protect :account, :account_id or both?

attr_accessible :account

or

attr_accessible :account_id

or

attr_accessible :account, :account_id

I feel like both is the way to go (as it's more secure) even though it feel less DRY.

Update to give more background

Just to give a bit more background on why I'm asking. I, like most ppl, saw what happened to Github so we're going through our app and locking it down a little tighter.

In the process of doing this I found tests in which we pass in account

User.create account: account

and where we passed in account_id:

User.create account_id: account.id

My options were to either change them all to be consistant or change attr_accessible to allow either. I decided to change them all to be consistant. But this got me worried that we were perhaps using both methods throughout our app and I might break our app by only allowing one or the other.

I did misspeak when I said using both is more secure. It was a long day.

like image 229
pcg79 Avatar asked Mar 13 '12 18:03

pcg79

1 Answers

There's no right answer for this one, though it does depend on how you intend to update this user. attr_accessible :account will allow you to mass-assign the account directly like this:

user.update_attributes(:account => account)

Helpful if you already have an account object that you want to associate to the user along with a lot of other attributes. On the other hand, attr_accessible :account_id would be more appropriate if you were assigning the account's ID, as from a dropdown or some other form element:

user.update_attributes(params[:user]) # params[:user][:account_id] is a part of this hash

This latter case is generally considered more dangerous and was part of the problem with Github's recent security issue: that you can post any account_id you like, including an account that doesn't belong to you, and your user will be assigned to it.

So overall I would go for the former and do a look-up to ensure the account is one that you expect, but as I said at the beginning, you can go either way on this one depending on how you intend to use it.

like image 138
Veraticus Avatar answered Nov 15 '22 23:11

Veraticus
Sign in to Comment

Related questions

heroku undefined method empty? when upgrading my app to ruby 2.0
Wrong number of arguments when run compass watch
Why does activerecord not populate an auto-incrementing column in the item returned from a create?
Active_Shipping Negotiated Rates for UPS - Ruby on Rails
Carrierwave gem. How to rename uploaded image versions after recreating them?
Model instance method returning wrong result the first time it is run, and the correct result subsequently
Active admin multiple file/image upload with paperclip
How should secret files be pushed to an EC2 Ruby on Rails application using amazon web services with their elastic beanstalk?
How to combine video and audio through API or JS? [closed]
`autodetect': No known ORM was detected
Why does this locals variable declaration not work?
Can an ActiveRecord `.select` method have an interpolated string like in `.where`?
Gemfile require gem in all environments except one
Failed to open TCP connection to localhost:9200 (Connection refused - connect(2) for "localhost" port 9200) (Faraday::ConnectionFailed)
Ransack exact match with array values
Is there a standard/elegant way of achieving Firebase-like reactive objects without Firebase?
Parse 'ul' and 'ol' tags
Data type for currency using Mongoid
How to set session variables in Rails integration tests
Rails 3 + JQuery-File-Upload + Nested Model

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!