Ruby on Rails : Danger! Mass Assignment

by neil on May 28, 2009

Please note this blog has been moved to blog.platform45.com

You should not create or update records directly from parameters!

 
     @user = User.new(params[:user])

This is mass assignment. It is creating a new user object from all the attributes assigned to :user

 <% form_for @user do |f| %>
 <%= f.text_field :name %>
 <%= f.text_field :email %>
 ...

All the attributes from this parameters hash with be be used in creating a new user model. If your user table contains an admin field. The ‘attacker’ can submit a post, setting admin = true.

 <% form for @user do |f| %>
 <%= f.text_field :name %>
 <%= f.text_field :email %>
 <%= f.text_field :admin, :value => true %>
 ...

How can we prevent this ?

We need to only allow “safe” attributes from being mass assigned.

You might think it’s easier to specify which attributes should be restricted, but remember foreign keys are also susceptible to mass assignment.

So we are rather going to set the attributes that are allowed, rather than restricted. The rest we will have to assign individually. In this example you would add to your model:

 
    attr_accessible :name, email

You should explicitly set which attributes are allowed in every model. If you’re lazy and forgetful like most of us. Try the plugin audit-mass-assignment It allows you to run:

 rake audit:mass_assignment

It will fail on every model that does not include attr_accessible.

{ 0 comments }

Will some women never change?

by Sarah Pietersen on May 19, 2009

Please note this blog has been moved to blog.platform45.com

On Saturday I attended a women’s “business networking” conference in Century City. I must admit I thoroughly enjoyed myself although it was not quite what I expected.

I expected to be welcomed and surrounded by strong successful women. I envisioned a room filled with self-starting entrepreneurs, ambitious and inspiring business women that stood against the female stereotype. Many by now are thinking “Hmmm… the female stereotype you say – touchy subject!” And yes it is a taboo subject for some. But I’m going to take advantage of the fact that this is a blog, which allows me to right my own opinions without fear of judgment. [click to continue...]

{ 4 comments }

6 Tips for finding start-up office space

by Sarah Isaacs on March 16, 2009

Please note this blog has been moved to blog.platform45.com

I have spent the last week looking at a dozen potential office spaces. The process has been painful, to say the least. Commercial estate agents are no different to the domestic kind, eager to talk about everything from their pets to their new car to their health record. Its a struggle to remain polite in the face of such trivial chatter with the deadline to find new space drawing closer. Here are some tips for the rookie seeker. [click to continue...]

{ 5 comments }

Can personality be measured?

by Sarah Isaacs on March 2, 2009

“Sarah is new to our team and the world of IT. Out of the office she is attaining an honours degree in Organisational Psychology at UCT. In the absence of technical skills, she offers a people-orientated approach and a glimpse into the mind of the technical layman. This is her first blog. Follow her on twitter” – Neil Henegan

avoidant-personality1

What is personality? Mainstream psychology textbooks define personality as an individual’s unique constellation of consistent behavioural traits, a durable disposition to behave in a particular way across a variety of situations. To simplify the concept even further, a leading personality model asserts that most of these traits are derived from five higher-order traits: extroversion, neuroticism, openness to experience, agreeableness and conscientiousness. [click to continue...]

{ 6 comments }

The Tao of productivity

by neil on November 30, 2008

Please note this blog has been moved to blog.platform45.com

I used to give productivity way more thought than it deserved and I’ve come to realize that being productive is something more. In the same way eating healthy is more a way of life than what you do at meal times.

To optimize your time you need to be focused. This focused state of deep concentration is when you are at your most creative and therefore most productive. If done right a 4 hour work day is possible. Below I’ve listed what I think are the most important elements in reaching a fully focused, optimized state of mind. [click to continue...]

{ 1 comment }

← Older Entries

Newer Entries →