I have a question concerning Rails security. Let’s say we have User model, and it has many boolean values for roles, such as admin, director, and so on.
An Admin will definitely want to edit these values on forms, so we’ll want to use attr_accessible to let the admin user do this.
Of course, other uses will be able to edit their User model as well – either editing their profile, or when they invite/add new users to the system themselves. In the case of director’s, we actually want them to set roles that are “lesser” than director, but we don’t want him to be able to set director or admin
Since we expose these controllers that modify users, wouldn’t attr_accessible allow director and admin to be set in this case? This sounds like a very big security hole.
So what is the best way to restrict access?
-
Set each parameter, one at a time?
-
Set
admin = falseanddirector = falseon the create/update actions? The simplest solution, but kind of nasty to have this in the controller. -
Use an if statement to see if that user role can edit those attributes and allow it?
-
Use rails callbacks?, such as
before_validationorbefore_save? -
Some other declarative solution?
Thanks
The upcoming release of Rails 3.1 (there is a release candidate out at the moment) has a new option to
attr_accessiblethat will allow you to define a role that can override it at the controller level by passingwithout_protection => true.You can read more about it here: http://www.enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1
And the section about attr_accessible in the rails security guide here: http://edgeguides.rubyonrails.org/security.html#countermeasures