addressalign-toparrow-leftarrow-leftarrow-right-10x10arrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcredit-cardcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobe--smallglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1languagelaunch-new-window--smalllight-bulblightning-boltlinklocation-pinlockm-swarmSearchmailmediummessagesminusmobilemoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstar-shapestartickettrashtriangle-downtriangle-uptwitteruserwarningyahooyoutube

Message boards will no longer be available after July 18, 2024.

We're making several improvements to Meetup's communications tools. As a part of this effort, message boards are closing. We recommend saving any important information before July 18, 2024.

Going forward, you can stay connected with your groups using the Discussions feature. An improved version of Discussions is on the way!

Learn more about the upcoming changes in this article.

automagic vulnerabilities connected to habtm

From: Shannon -jj B.
Sent on: Monday, July 27, 2009, 10:11 PM
Hi,

I'm a bit of a Rails newbie, but I have a question about security.  I
have a User model and a Role model.  Users habtm roles.  I setup a
multiple select box for a user to configure his roles.  (Actually, I
setup a multiple select box for an admin user to configure other
users' roles.)  Without any work in the controller, the user can
configure role_ids.  Hence, by default, if you can edit a user, you
can edit his role_ids for free.  That worries me.

Does that mean anytime a user is editing ModelA that habtm ModelB,
then the user can hack his form to automatically edit all the
modelb_ids?  Should I be worried?  Is this a class of vulnerabilities
common to naive Rails apps?  Am I making sense?

Thanks,
-jj

-- 
In this life we cannot do great things. We can only do small things
with great love. -- Mother Teresa
https://jjinux.blo...­