On Feb 27, 11:24 am, Mauro <[email protected]> wrote: > On 27 February 2011 04:05, radhames brito <[email protected]> wrote: > > > it can be done like this > >http://railscasts.com/episodes/237-dynamic-attr-accessible > > I'm viewinghttp://asciicasts.com/episodes/26-hackers-love-mass-assignment. > It says that an hacker can do curl -d > "user[name]=hacker&user[admin]=1"http://localhost:3000/Users/and > create an admin user. > Ok, wtih attr_accessible he can't do that but..........if he can't > create an admin user he always can create a user, not an admin user > but a user. > That is he can insert values in my database. > I can't use attr_accessible for all my model attributes.
The hacker can only do that if you make the users/create action publicly available (ie you don't do something like require a logged in user that is an admin). Very often users/create is publicly available (eg if anyone is allowed to signup) and so you do need to make sure users can't sign up as an admin. Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
