-
Notifications
You must be signed in to change notification settings - Fork 0
License
webhoernchen/massassignment_security_form
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
MassassignmentSecurityForm
===============
Usage:
------
1. Add gem to your Gemfile
gem 'massassignment_security_form', :git => 'git://github.com/webhoernchen/massassignment_security_form.git'
2. bundle install
3. Create an initializer (massassignment_security_form.rb) like this:
MassassignmentSecurityForm::Config.password = 'Long secure password for encryption'
4. Your forms are secure now!
Example:
--------
<% form_tag({:action => "update"}) do %>
<%= error_messages_for :user %>
<table>
<tr>
<td><label for="user_title">Title:</label></td>
<td><%= text_field :user, :title %></td>
</tr>
<tr>
<td><label for="user_first_name">First name:</label></td>
<td><%= text_field :user, :first_name %></td>
</tr>
<tr>
<td><label for="user_name">Name:</label></td>
<td><%= text_field :user, :name %></td>
</tr>
</table>
<% end %>
It creates the following form:
<form method="post" action="/route/to/users/update">
<table>
<tr>
<td><label for="user_title">Titel:</label></td>
<td><input type="text" value="" size="30" name="user[title]" id="user_title"></td>
</tr>
<tr>
<td><label for="user_first_name">First name:</label></td>
<td><input type="text" value="Christian" size="30" name="user[first_name]" id="user_first_name"></td>
</tr>
<tr>
<td><label for="user_name">Name:</label></td>
<td><input type="text" value="Eichhorn" size="30" name="user[name]" id="user_name"></td>
</tr>
<tr>
<td>
<input type="submit" value="save" name="commit">
</td>
</tr>
</table>
<input type="hidden" value="EncryptedHashWithFormFieldsForUser" name="massassignment_fields">
</form>
After the form is committed your controller remove all attributes of the users hash, which are not allowed in the form.
Security Example:
If your Admin-Verfication is an attribute of the user (:admin => true) and
anyone adds a form field to your form in the browser like this:
<input type="hidden" value="1" name="user[admin]">
Normally (if you add no protection to the user class):
ActiveRecord will set the attribute "admin" to true for the given user on
user.#update_attributes(params[:user])
This GEM removes the attr "admin" of the user params hash, because the attribute is not used in the form!
For Testing:
------------
Disable the Gem for your functional tests:
MassassignmentSecurityForm::Config.remove_not_allowed_massassignment_fields = false
Motivation
----------
* Write a simple fix for the massassignment security problem in rails (ActiveRecord)
Tested with:
------------
* Rails 2.3.14
* formtastic 1.2.4
Help:
-----
This GEM should work with the most form_helpers in Rails
If you use a plugin or a gem with other form_helpers you can add the functionality of this GEM:
Define an extension for your form_helper like this:
def other_form_helper(object_name, method, *args)
_add_form_field(object_name, method)
super(object_name, method, *args)
end
Thats all!
For all other improvements:
* Please fork this GEM and send a pull request!
Credits
-------
Written by Christian Eichhorn
http://www.webmasters.de
About
No description, website, or topics provided.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published