The ELC Community Blog

A knowledge exchange on Ruby on Rails and Agile Development

Securing your Models

by Dylan Stamat on March 02, 2007

Rails is quite secure by default. When using ActiveRecord however, please do remember to secure your models attributes. Pretty please ?

For example, if I have a bank_account that has_many :checking_accounts, an instance of my BankAccount will have a handy little checking_account_ids= method given to it by the has_many declaration.

   1  >> bank_account.checking_account_ids
   2  => [1234]

Nice. Now, I bank at the same bank as Le Ka-shing (right), and I happen to stumble upon his checking account number... which is 9999. Cool... let me go edit my account, and slip this into the put:

   1  bank_account[checking_account_ids][]=9999

Cha-ching !
Why did this happen ? It happened due to this attribute not being protected. We also assumed that the bank was doing something similar to one of the following, in the controllers update method:

   1  bank_account.attributes = params[:bank_account] 
   2  bank_account.update_attributes(params[:bank_account])

How do you protect your attributes ? Use attr_accessible.

attr_accessible will only let those attributes named be available for mass-assignment. This is much better than attr_protected in my opinion, as attr_protected requires you to declare "every" attribute you want to be protected... which could be *a lot* depending upon the richness of your models assocation structure. Note that when using attr_accessible, you may need to declare some of the generic association attributes if you do indeed need to do mass-assignments when including associations:

   1  attr_accessible :bank_account, :bank_account_id

This is nothing new. People have covered this topic already, and the official Rails manual at manual.rubyonrails.com have done a good job of touching on its importance as well. Just take this as a public service announcement, and get to work securing your models !