automagic vulnerabilities connected to habtm
| From: | Shannon -jj B. |
| Sent on: | Monday, July 27, 2009, 10:11 PM |
Hi, I'm a bit of a Rails newbie, but I have a question about security. I have a User model and a Role model. Users habtm roles. I setup a multiple select box for a user to configure his roles. (Actually, I setup a multiple select box for an admin user to configure other users' roles.) Without any work in the controller, the user can configure role_ids. Hence, by default, if you can edit a user, you can edit his role_ids for free. That worries me. Does that mean anytime a user is editing ModelA that habtm ModelB, then the user can hack his form to automatically edit all the modelb_ids? Should I be worried? Is this a class of vulnerabilities common to naive Rails apps? Am I making sense? Thanks, -jj -- In this life we cannot do great things. We can only do small things with great love. -- Mother Teresa https://jjinux.blo...
People in this
group are also in:
-
Code for San Francisco
6,566 Civic Hackers
-
SF New Tech
8,054 Tech Lovers
-
Angular-SF
4,385 Members
-
Bay Area Software Engineers (BASE)
7,607 Software Engineers
-
Women Who Code SF
17,741 Coders
-
Ai in Cloud Computing San Francisco
3,477 Members
