This might be a stupid question, but please bear with me.
I've been playing around with a rails app that I am working on, and I was in the console (ie. rails c
), and I decided to try to add a user to the database via the console.
My User
model has a role
attribute, which is excluded from the list of strong params in the UsersController
. However, when I was using the console, I was able to edit the value of the new user's role, by doing update_attribute
. This concerns me. Does this mean that I am not doing strong params correctly and have somehow not protected my User model from mass-assignment? Or does the rails console bypass mass assignment intentionally? Is there any security vulnerability here?
Here is the console input/output:
2.3.1 :004 > user.update_attribute("role", "admin")
(0.1ms) begin transaction
SQL (0.7ms) UPDATE "users" SET "updated_at" = ?, "role" = ? WHERE "users"."id" = ? [["updated_at", "2017-06-21 10:25:34.134203"], ["role", "admin"], ["id", 4]]
(92.1ms) commit transaction
=> true
and here is the relevant part of UsersController
:
def create
sleep(rand(5)) # random delay; mitigates Brute-Force attacks
@user = User.new(user_params)
if @user.save #&& verify_recaptcha(model: @user)
if @user.update_attribute('role', 'user')
@user.send_activation_email
flash[:info] = "Please check your email to activate your account."
redirect_to root_url
else
render 'new'
end
else
render 'new' #Reset the signup page
end
end
#...
#Defines which fields are permitted/required when making a new user.
def user_params
params.require(:user).permit(:name, :email, :password, :password_confirmation)
end
thank you in advance.
user.update_attribute("role", "admin")
it has got nothing to do with strong parameters.. That just generates an sql query as you see in the console which updates the record.
strong parameters are used to restrict unpermitted params coming from the view/client and modify your record.
As in your case,
your user_params
does not include role
because you are assigning it yourself. in case you had not done that and in the request body I had sent role: 'admin'
,
User.new(params)
would make the user admin
, if verify_recaptcha(model: @user)
condition fails..