The blog of freelance Designer & Developer, David Rice.
10 Aug 2007
This is a simple rails plugin I hacked together, mainly to see if it was possible but sparked off by one very important thought… I love the convenience of mass-assigning variables in rails.
@user = User.create params[:user]
It just feels right, but obviously (as in the above example) we’re exposing mass assignment of variables to the would-be hacker, which could be used for nefarious purposes.
The usual approach is with the attr_protected method of ActiveRecord.
class Post < ActiveRecord::Base
attr_protected :id, :created_at
end
For some reason it just never has sat the right way with me, so I chose to experiment with this plugin! If you hook up the model attributes that you want to protect with the attr_param_protected method.
class Post < ActiveRecord::Base
attr\_param\_protected :id, :type
...
end
Then all we need to do is add the following line to our controller (it will work if you add it to ApplicationController). If you want to protect a number of models you can do that too.
PostsController < ApplicationController
protect\_params\_for :post
# or protect\_params\_for :post, :user
...
end
When a request comes in the attributes specified in your model will be stripped from the request parameters (they will show in your logs though!). If you want to join this mad science experiment, let me know how it goes! YMMV :)
script/plugin install http://svn.davidjrice.co.uk/svn/projects/plugins/protect_params
- email me@davidjrice.co.uk
- phone me on +44 7590 538 303
If you need help with the Design, Build, Management, Hosting or Support of your project do get in touch, I'd love to hear from you!
Recently
- 22 Apr » HTML5 Validator.nu ruby gem
- 28 Sep » ActiveMerchant Support for Realex
- 09 Sep » Getting Real with Realex
- 04 Sep » Back in Black
- 25 Nov » Rails Session Storage Cookie Vs Active Record
- 06 Jun » Get Exceptional
- 21 Apr » git and github ftw
- 19 Apr » Co-Working Belfast, Put Your Money Where Your Mouth Is
- 28 Mar » Co-working Belfast Plan
- 26 Feb » Do Not Buy an Apple AirPort Extreme Base Station, They Crash and Burn
- 13 Feb » Ssh, Presentation in Progress