I have a question on a solution I think is secure, but would like

Question

0

Asked: May 19, 20262026-05-19T22:16:13+00:00 2026-05-19T22:16:13+00:00

I have a question on a solution I think is secure, but would like

0

I have a question on a solution I think is secure, but would like a second opinion:

In our application we have a user model, which has a ‘roles’ attribute. Normally, i’d not have this attribute mass-assignable, as users have the possibility to update their own information and could manipulate the post hash to include ‘roles’.

In this particular case however, we are working with a rails engine that would require a lot of tinkering (which we would rather avoid) unless we leave the attribute mass-assignable.

Now, our solution is the following:
In the user#update action in the controller we simply strip the roles attribute from the params hash before it gets updated:

params[:user].delete(:roles)

Although I understand this is not an ideal solution, is it secure?

Thanks for your expertise,
Erwin

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-19T22:16:13+00:00

Editorial Team

2026-05-19T22:16:13+00:00Added an answer on May 19, 2026 at 10:16 pm

Your solution works but is not that ideal.

I think this screencast is at the state of the art:

http://railscasts.com/episodes/237-dynamic-attr-accessible

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a question on a solution I think is secure, but would like

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply