Question
I have a data model with these three tables, Project, Team & User. When the user creates a new project It should be possible to select which team the new project should be associated with. I'm planning to do this with radio buttons.
I've got a working implementation, but I'm doubting if this is the right way to do it. Mainly from a security standpoint. It currently looks like this (I use HAML):
https://stackoverflow.com/questions/22742112
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian/ View
= form_for @project do |f|
/ Select team
.form-group
- current_user.teams.each do |team|
/ I use team_id as the value for my radio button
= f.radio_button 'team_id', team.id
[...]
/ Controller
def new
@project = Project.new(team_id: params[:team_id])
end
def create
@project = Project.new(project_params)
[...]
# Never trust parameters from the scary internet, only allow the white list through.
def project_params
params.require(:project).permit(:name, :idea_description, :team_id)
end
I'm not sure if it is secure to allow passing team_id from the view, will it be possible to create an association to any team?
So my question is, is there another way to do it? If not, is this implementation OK? Or how can I make it more secure?
Solution
With this current approch a user can set the value of the radio button with any team even if he is not a memeber of it. From what i understand. A project should belong to a team. If you already have it like this just replace the first line in create with this:
@team = current_user.teams.find project_params[:team_id]
@project = @team.projects.build project_params
This will assure that team id exists and related to the user
