I’m a Rails beginner and currently reading Michael Hartl’s Rails 3 Tutorial and have a question that I’m really curious about:
In the context of creating an admin user and some other 99 normal users via ‘faker’, Hartl explains why it would be a bad idea to add “:admin” to the attr_accessible in the user model and thus add “admin: true” to the initialization hash in the ‘faker’ test code. Instead he explains that one should use “toggle!(:admin)” and avoid adding “:admin” to the accessible attributes because otherwise malicious users could directly send a PUT request like “PUT /users/17?admin=1”.
http://ruby.railstutorial.org/book/ruby-on-rails-tutorial#sec:revisiting_attr_accessible
So, following Hartl’s advise my admin boolean now is secure but what about my other user attributes such as name, email, which ARE defined as accessible attributes? Does this mean that malicious users could easily change these attributes via a PUT request similar to the one above? In the Tutorial, Hartl speaks of a command-line tool named curl that could issue such PUT request forms. I don’t really want to try this with my sample app, my question just is, am I overlooking something or could a malicious PUT request such as “put /users/17?name=’new_name'”?
Thank you in advance if anyone will answer my question!
Yes, they could be changed via a PUT, but in general that’s what you want. You still should check whether the current user has access to set those fields on the user.
Admin flags and the like are special cases because you want to be able to set those explicitly, as opposed to a mass assignment. You don’t want a user to be able to set themselves as an admin, but having a user change their own email address or name or whatever should be fine.