You should not create or update records directly from parameters!
@user = User.new(params[:user])
This is mass assignment. It is creating a new user object from all the attributes assigned to :user
<% form_for @user do |f| %>
<%= f.text_field :name %>
<%= f.text_field :email %>
...All the attributes from this parameters hash with be be used in creating a new user model. If your user table contains an admin field. The ‘attacker’ can submit a post, setting admin = true.
<% form for @user do |f| %>
<%= f.text_field :name %>
<%= f.text_field :email %>
<%= f.text_field :admin, :value => true %>
...
How can we prevent this ?
We need to only allow “safe” attributes from being mass assigned.
You might think it’s easier to specify which attributes should be restricted, but remember foreign keys are also susceptible to mass assignment.
So we are rather going to set the attributes that are allowed, rather than restricted. The rest we will have to assign individually. In this example you would add to your model:
attr_accessible :name, email
You should explicitly set which attributes are allowed in every model. If you’re lazy and forgetful like most of us. Try the plugin audit-mass-assignment It allows you to run:
rake audit:mass_assignment
It will fail on every model that does not include attr_accessible.
