Is it a security issue to assign a role in a form hidden_field at sign-up?

Question

I have a sign-up form with an email field and a hidden field assigning a role to the User.

<%= f.hidden_field :role, options = {value: 'standard'} %>

The form is accessible to everyone, and assigns an "author" role. I'm wondering if it is a secure way to assign role since the hidden field is visible in html. Any help is welcome. Thank you in advance.

Note that I do auto-assign a "reader" value to the User.role.

Answer 1

A hidden field in a form is no more or less secure than any other data that come from user. That is, it should not be trivally trusted: It comes from the user and is open to manipulation and specialty injection.

When the data is sent back to the server, the server should validate that data and not assume that the operation is allowed/invalid just based on a particular user-modifiable context. Depending upon needs, approaches like hash checksums can be used to have a very high degree of confidence that the data was not tampered with (but again, this should be verified by the server each request!). Using "session state" mitigates the problem entirely by keeping the data out of user-manipulation land.