My url looks something like this username/project/project_members
User has many projects, also there is rich many to many relationship between users and projects through project members. Think of it like github, a user has many repos and a repo has many collaborators as users.
Now to make a new object of ProjectMember, I can do mass assignment:
ProjectMember.create(user_id: params[:user_id], project_id: @project.id, role: params[:project_member][:role])
or I can do:
@project.members << @member
@project.member_project(role: params[:project_member][:role])
As you can tell, in both case I need to find @project and @member objects first. To find @member I am already passing user_id as hidden filed and I find @project with my url (see top). My form looks like:
- @users.each do |user|
= form_tag user_project_project_members_add_path(@project.user, @project) do
= label_tag 'username', user.username
= hidden_field_tag "user_id", user.id
= select('project_member', 'role', roles)
= submit_tag 'Add', :name => nil
This kind of code leaves strong params useless. ie I am not using it to make my new project_member instance. Should I be concerned that I am not using strong params? I guess one of hack could be that I pass project_id as hidden field too. Should I be bending over backwards just so that I can use strong params?
The kind of mass assignment that leads to vulnerabilities is when you are doing:
And then a malicous user would pass
{ user: { name: 'Haxxor', admin: true }}and your entire app is compromised.Up until Rails 4, Rails would happily let you do that.
There is no real danger in doing:
Even if you are creating ProjectMember with a hash you are actually manually assigning a param to each attribute.