tags:

views:

30

answers:

2
+3  Q: 

Prevent certain properties from being updated?

In rails, when updating a model, how do you prevent certain properties of the model from being updated when using a call like:

@user.update_profile params[:user]

Since anyone can just create a form input with a name like 'password', how can you filter the set of properties that you are allowing to be updatable?

Is this what attr_XXX is for?

+4  A: 

You're looking for attr_accessible. It lets you specify which attributes can be set through mass-updating (like update_attributes), but you'll still be able to set the attributes "manually" (ie @user.attribute = ...).

For more information, see The importance of attr_accessible in Ruby on Rails.

Daniel Vandersluis  2010-10-06 02:42:48
ok so that will prevent mass updates during form posts etc. right?
Blankman  2010-10-06 02:44:59
@Blankman Correct, any attributes that are not specified as accessible will not be updateable through `params`.
Daniel Vandersluis  2010-10-06 02:46:08
+3  A: 

You're looking for attr_protected to black list any attributes you don't want altered in a bulk update. Throw it in your model and give it a list of attribute symbols to blacklist.

class User < ActiveRecord::Base
  attr_protected :password
end

Alternatively you can use attr_accessible to take the white list approach and only the attributes given can be updated when updating the entire record at once. Every other attribute will be protected.

N.B Protected attributes can still be overwritten if it's directly assigned to as in 

@user.password = "not secure"
EmFi  2010-10-06 02:43:26
Note that `attr_protected` and `attr_accessible` (which I mentioned in my answer), are two sides of the same coin. `attr_accessible` makes you list the attributes you **want** to have bulk updateable; `attr_protected` lists the attributes you **don't want** to be updateable.
Daniel Vandersluis  2010-10-06 02:46:39
However, with `attr_accessible`, if you ever add more attributes to your model, you won't have to worry about them being accessible unless you specify them as such; with `attr_protected`, any new attributes will be accessible. Of course, which is the right answer depends on what you expect to happen (though some people think it's preferable to explicitly list what you do want so that there aren't any surprises).
Daniel Vandersluis  2010-10-06 02:48:57
@Daniel Vandersluis: Yes That's true. White listing with attr_accessible is a much better security strategy than black listing with attr_protected. But the way the question was worded implied the black list approach was preferred.
EmFi  2010-10-06 02:51:32

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security