ruby-on-railsruby-on-rails-5mass-assignment

Does the Rails Console Bypass Mass-Assignment Protection?


This might be a stupid question, but please bear with me.

I've been playing around with a rails app that I am working on, and I was in the console (ie. rails c), and I decided to try to add a user to the database via the console.

My User model has a role attribute, which is excluded from the list of strong params in the UsersController. However, when I was using the console, I was able to edit the value of the new user's role, by doing update_attribute. This concerns me. Does this mean that I am not doing strong params correctly and have somehow not protected my User model from mass-assignment? Or does the rails console bypass mass assignment intentionally? Is there any security vulnerability here?

Here is the console input/output:

2.3.1 :004 > user.update_attribute("role", "admin")
(0.1ms)  begin transaction
SQL (0.7ms)  UPDATE "users" SET "updated_at" = ?, "role" = ? WHERE  "users"."id" = ?  [["updated_at", "2017-06-21 10:25:34.134203"], ["role", "admin"], ["id", 4]]
(92.1ms)  commit transaction
=> true 

and here is the relevant part of UsersController:

def create
    sleep(rand(5))    # random delay; mitigates Brute-Force attacks
    @user = User.new(user_params)

    if @user.save #&& verify_recaptcha(model: @user)
        if @user.update_attribute('role', 'user')
          @user.send_activation_email
          flash[:info] = "Please check your email to activate your account."
          redirect_to root_url

        else
          render 'new'
        end

    else
        render 'new' #Reset the signup page
    end
end

#...

#Defines which fields are permitted/required when making a new user.
def user_params
    params.require(:user).permit(:name, :email, :password, :password_confirmation)
end

thank you in advance.


Solution

  • user.update_attribute("role", "admin")

    it has got nothing to do with strong parameters.. That just generates an sql query as you see in the console which updates the record.

    strong parameters are used to restrict unpermitted params coming from the view/client and modify your record.

    As in your case,

    your user_params does not include role because you are assigning it yourself. in case you had not done that and in the request body I had sent role: 'admin',

    User.new(params)
    

    would make the user admin, if verify_recaptcha(model: @user) condition fails..