题
Ever since I learned about the security holes with attr_accessible, I have been trying to be very careful when it comes to this type of stuff, so I just need some clarification.
Let's say I have a Comment model and it has
https://stackoverflow.com/questions/17810331
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianattr_accessible :user_id
In my form I do
= f.hidden_field :user_id, :value => @current_user.id
so I am not taking the value from the params, but rather the current user's actual ID.
My concern is not with my own forms, however, but with rogue requests. For example, what if someone were to send a post request as follows:
POST comments?user_id=5
when their user_id is actually 1. Would they be able to post on behalf of someone else?
Thank you.
解决方案
Yeah, you're absolutely right. I think I just realized the answer. Basically when an attribute is not attr_accessible, you want to set it inside your controller directly, which makes it impossible for it to be set with a rogue request like I mentioned above. Also, if your controller is setting a variable directly from params, that's when you know something is wrong and that that variable is basically attr_accessible.
Thanks Flo
