0

In Ruby on Rails, it's very easy to update a model from an HTML form. Usually you can just create a form_for with the model, and the fields in there will be updated when the user hits the submit button.

Say though that a malicious user wants to update their 'salary' without going through the proper channels. couldn't they just inject a field by the name of 'salary' when updating their email address (for example) and set their pay to basically be whatever they want? how do i specify which fields can be modified and which can't to prevent this?

Seeing things like

@user.update_attributes(params[:user])

seems scary. They could update anything. I understand the use of attr_accessible, but that's only relevant for mass updates, isn't it?

Improve this question

1 Answer 1

Reset to default
2

You can restrict what fields can be mass assigned using:

attr_accessible :name, :address # no :salary
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

right, but couldn't the user just post the one :salary field instead of everything? or does update_attributes always follow attr_accessible?
attr_accessible lists the fields that are allowed to be mass-assigned, such as using update_attributes. They can't assign the value because of that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.