undefined | Better HN

0 pointspetercooper14y ago0 comments

Or more specifically, since the public keys objects require an associated user, the old chestnut:

    @user.public_keys.build(...)

.. where @user is retrieved in a role based manner (that is, you only get the right @user if you are authorized to get it.)

Ultimately, this is less an issue of mass assignment specifically and more an overarching one of allowing a user to perform an action in the guise of another. But, of course, these mistakes are commonly made by developers of all skill levels! :-) (me included)

0 comments

hitonagashi14y ago

No, that's not entirely correct.

You can do @user.public_keys.find(params[:id]).update_attributes(:user_id => 25)

Its the mass assignment protection on foreign keys that prevents you assigning one of your public keys to someone else, ensuring the chain is correct doesn't necessarily help with this scenario.

j / k navigate · click thread line to collapse