Strong parameters

67 views Asked by At

My url looks something like this username/project/project_members User has many projects, also there is rich many to many relationship between users and projects through project members. Think of it like github, a user has many repos and a repo has many collaborators as users.

Now to make a new object of ProjectMember, I can do mass assignment:

ProjectMember.create(user_id: params[:user_id], project_id: @project.id, role: params[:project_member][:role])

or I can do:

@project.members << @member
@project.member_project(role: params[:project_member][:role])

As you can tell, in both case I need to find @project and @member objects first. To find @member I am already passing user_id as hidden filed and I find @project with my url (see top). My form looks like:

- @users.each do |user|
  = form_tag user_project_project_members_add_path(@project.user, @project) do
     = label_tag 'username', user.username
     = hidden_field_tag "user_id", user.id
     = select('project_member', 'role', roles)
     = submit_tag 'Add', :name => nil

This kind of code leaves strong params useless. ie I am not using it to make my new project_member instance. Should I be concerned that I am not using strong params? I guess one of hack could be that I pass project_id as hidden field too. Should I be bending over backwards just so that I can use strong params?

1

There are 1 answers

0
max On BEST ANSWER

The kind of mass assignment that leads to vulnerabilities is when you are doing:

User.create(params[:user]) 

And then a malicous user would pass { user: { name: 'Haxxor', admin: true }} and your entire app is compromised.

Up until Rails 4, Rails would happily let you do that.

There is no real danger in doing:

ProjectMember.create(
  user_id: params[:user_id], 
  project_id: @project.id, 
  role: params[:project_member][:role]
)

Even if you are creating ProjectMember with a hash you are actually manually assigning a param to each attribute.