addressalign-toparrow-leftarrow-leftarrow-right-10x10arrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcredit-cardcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobe--smallglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1languagelaunch-new-window--smalllight-bulblightning-boltlinklocation-pinlockm-swarmSearchmailmediummessagesminusmobilemoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstar-shapestartickettrashtriangle-downtriangle-uptwitteruserwarningyahooyoutube

automagic vulnerabilities connected to habtm

From: Shannon -jj B.
Sent on: Monday, July 27, 2009, 10:11 PM

I'm a bit of a Rails newbie, but I have a question about security.  I
have a User model and a Role model.  Users habtm roles.  I setup a
multiple select box for a user to configure his roles.  (Actually, I
setup a multiple select box for an admin user to configure other
users' roles.)  Without any work in the controller, the user can
configure role_ids.  Hence, by default, if you can edit a user, you
can edit his role_ids for free.  That worries me.

Does that mean anytime a user is editing ModelA that habtm ModelB,
then the user can hack his form to automatically edit all the
modelb_ids?  Should I be worried?  Is this a class of vulnerabilities
common to naive Rails apps?  Am I making sense?


In this life we cannot do great things. We can only do small things
with great love. -- Mother Teresa

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy